Home  |  About Us  |  Press Room  |  1999  |  25 October

press release

Consultation on Draft Legislation and the Government's Response to the Trade & Industry Committee's Report: Response by Thus plc.

Introduction

Thus welcomes this opportunity to comment on the Department of Trade and Industry consultation paper "Promoting Electronic Commerce" dated July 1999. Thus is the new identity of ScottishTelecom and includes the Demon Internet business. Founded in June 1992, Demon Internet is the pioneer of low-cost flat-rate Internet connectivity in the UK and the Netherlands for both business and home users. As well as offering standard dial-up services for individuals, Demon Internet offers a comprehensive range of dial-up business services and leased-line solutions. Demon Internet is presently the fourth largest web hosting business in the world.

Permission is granted for this response to be made public and indeed Demon Internet intends to place this response onto its Internet web site for the benefit of customers and others who are interested in these matters.

This area will be of key importance to the competitive position of the United Kingdom and indeed the European Union in the coming years and it is vital that this legislation is right first time. While we welcome the Government's decision to proceed with the bill. it is not without flaws in its present form and we would urge the Government to take note of the comments from industry and take this opportunity to amend the bill accordingly.

The following sections discuss the various parts of the Draft Bill in more detail.

Part I - Cryptography Service Providers

Part I of the Bill is a generic template for a statutory, voluntary, regulation scheme.

The Government's own view appears to be that if the cryptography service industry can come up with its own scheme then Part I of the Bill will remain on the statute book, but will not be brought into force. This apparent need for reserve powers suggests that the Government does not have complete trust in the industry schemes that are being developed. Although this approach is consistent with the Government's stated policy of regulating only where necessary, we are concerned that holding powers in reserve in this manner might have undesirable side effects. If this apparent lack of trust is detected by the end users of cryptography services then it could well be damaging to the industry and therefore to the competitiveness of the United Kingdom in this area. Any future activation of this part will merely serve to confirm that people's trust in cryptography service provision has been misplaced. This would be a damaging blow from which it would take a considerable time to recover.

We do understand the policy aims which the Government is trying to achieve but doubt the value of a single national statutory scheme. It is not something which is required by our internet business, Demon Internet. They would look at the world market when purchasing cryptographic services for their own use or when finding services to recommend to customers. It is unclear how a national endorsement scheme would provide any added value. We would be far more interested in seeing endorsement on a pan European or global (Industry-wide) basis and believe that the Government should focus its efforts in these areas. We would also question the need for a single umbrella scheme for regulation, rather than different schemes for different aspects of what will become, within a few years, a very complex marketplace.

Most of Part I is extremely general and detailed comments could only be made when a specific scheme was being mooted. However, there is one specific issue that can be noted now. We are amongst the many who believe that compulsory key escrow would undermine confidence among potential users of e commerce. We are pleased that the Government's stance is that compulsory key escrow is no longer contemplated. However, this part of the Bill leaves open the possibility of compulsory key escrow being introduced as a condition of licensing, without the need for further legislation. We believe that explicitly excluding the possibility of subordinate legislation being introduced for this purpose would eradicate the fear, uncertainty and doubt surrounding this topic and thereby contribute to the development of e commerce in the United Kingdom.

Part II - Facilitation of Electronic Commerce, Data Storage, etc

Part II of the Bill contains Clause 7, which is supposed to remove any doubt surrounding the validity of electronic signatures and Clauses 8 and 9 that set out a scheme for amending legislation to allow the use of "electronic writing".

Although it might be argued that electronic signatures are already recognised by the law in England and Wales (Goodman v Eban (1954) allows different forms of signatures and the Civil Evidence Act, 1995 removes the previous distinctions between originals and copies and forms of documents), in Scotland the Requirements of Writing (Scotland) Act 1996 does not include electronic signatures. We welcome the fact that that section 7 will serve to harmonise the law throughout the United Kingdom thereby removing this potential barrier to electronic trading in all parts of the country and placing the admissibility of electronic signatures on a statutory footing.

We do have a number of concerns, however regarding the drafting of clause 7 and believe that it does not lend itself to clarity.

• It deals entirely with communications, ignoring (or perhaps leaving one to elide) the function of signatures to attest to the integrity of stored information. This might be overcome by extending the definition of "communication" or rewording the section. Clarity and certainty of regulation is essential for the future development of the industry.
• Clause 7 does not tackle the issue of whether an electronic signature is in fact a "signature" - one would expect to see a gnomic, but still useful, definition that an electronic signature was a signature if one intended to make it a signature. The Australian legislation has taken this approach. Instead, the clause deals with the peripheral issue of whether an electronic signature is admissible as evidence as to the authenticity or integrity of a document.
• The description in 7(3) of the certification process as being someone certifying the signature or certifying a procedure is extremely hard to map onto the methods by which electronic signatures are made in practice today. There is a significant risk of a Court reading this text, examining a mechanism such as the typing in of a PGP passphrase to demonstrate identity, and coming to the conclusion that the whole clause does not apply. Although the trap of tying the language to today's technology should be avoided, we recommend that the clause be changed to make it far more clear that existing mechanisms for electronic signing are covered.
• Finally, the use of the legal word "certify" is extremely confusing to read in this context since encryption technology systems make use of "certificates" as an explicit mechanism to establish chains of endorsement. This simply serves to confuse matters rather than clarifyng the position. We would suggest that the word "certify" be replaced with "authenticate" or some such equivalent in order to remove any uncertainty.

 

We are pleased to see the provisions for the amendment of legislation to allow electronic writing.

We note that the bill grants extensive powers to update legislation by the relevant minister but that these powers are entirely discretionary. In our response to the original consultation document, we confirmed that we believed subordinate legislation was the most appropriate means of developing the law on electronic writing. We welcome the Government's adoption of this approach in clause 8.

We fully understand that it is not possible to set out a definitive timetable for reform within the body of the Bill but believe that an outline programme for the future development of the legislation would be of use to the industry. This is an extremely fast moving market sector and it is vital that the legislation keeps pace with developments in the market. Government confirmation of an intention to keep legislation current would provide a degree of comfort to the industry in the United Kingdom.

We note that there is no provision within the Bill that will ensure that changes to electronic methods will be technology neutral, or to ensure any standardisation across or even within departments. It would be retrograde step for one part of Government to require information in, say, Microsoft Word format, and another to insist on WordPerfect. It would be wise to add a requirement to insist that where plain, freeform text would be accepted as a document then plain "ASCII" electronic documents should also be acceptable.

There are also dangers that enthusiasm for new electronic methods will be allowed to run away with themselves. One can foresee departments deciding to require authentication of electronic documents and promoting custom schemes for this with a consequent distortion of the marketplace. The competition issues can be debated when specific schemes are proposed in the future - but there is a basic principle here that should be on the face of this Bill. It should be forbidden to require authentication of electronic documents that goes beyond the authentication required of the equivalent traditional paper based document. If paper documents can be sent with a self-certifying signature then the same should hold for an email.

Finally, it is to be hoped that this consultation exercise and subsequent parliamentary scrutiny will greatly improve these clauses as to the safeguards and requirements that electronic schemes should satisfy. As such, the Bill should not exclude the Inland Revenue and Customs and Excise from these requirements. Although the current progress towards allowing electronic writing through provisions in the Finance Act is to be welcomed, these bodies should in future be subject to the same meta-scheme for changing legislation as everyone else.

Part III - Investigation of protected electronic data

ScottishTelecom and Demon Internet recently responded to the Home Office consultation paper on replacing the current Interception of Communications Act (IOCA). We find it immensely disappointing to see the lack of overlap between the proposals being made there and the appearance of new powers in Part III of a Bill which is seeking to promote trust in electronic commerce. We note that this part of the Bill (along with the related Schedules) occupies some 15 pages out of 31 in total. This is entirely disproportionate. We strongly urge the Government to consider a co-ordinated approach to ensure that the IOCA and E commerce legislation are consistent with one another.

We see that the Bill seeks to introduce a "Section 10 notice" that will require the production of encryption keys upon demand.

• Clause 11 allows the provision of plain text in place of the keys.

• Clause 12 sets out the offence of failing to comply with a Section 10 notice.

• Clause 13 sets out the offence of disclosing information about a Section 10 notice (so-called "tipping off").
• Clause 14 sets out the penalties for the offences (up to two years for failure to comply and up to five years for tipping off, plus provisions for fines.)
• Clause 15 sets out safeguards for disclosed keys.
• Clause 16 provides for a code of practice.
• Clause 17 sets up a Commissioner to oversee the Secretary of State's role in issuing Section 10 notices.
• Clause 18 sets up a Tribunal to hear complaints about the Secretary of State.
• Clause 19 contains the definitions for this part of the Bill, because it is basically a Bill within a Bill.
• Finally, Schedules I and II deal with permissions relating to Section 10 notices and some further details about the Tribunal.

 

ISPs may well find that they communicate, unwittingly with criminals and we must therefore expect to receive our share of Section 10 notices. The nature of public key encryption means that in order to read what someone has sent us it is our key that must be sought not the criminal's key. As such we welcome the presence of Clause 11 that will allow us to provide plain text instead. We can see that it might be onerous for some people to do this - hence plain text is an option and not a requirement.

We do however have a number of concerns regarding the scope of the powers under s.10. In particular there is no requirement on the issuer of a Section 10 notice to meet any tests of reasonableness nor even to demonstrate that there is any material to be decrypted. The issuer can prescribe that plain text is unacceptable and again there is no way of testing whether this is a proper decision. As the innocent recipient of a Section 10 notice an ISP would have no ability to challenge the notice or its provisions as to appropriateness or proportionality. The recipients of such notices will incur costs in providing the material required and there is no provision for recovering those. We are also concerned that situations might arise where a Section 10 notice might oblige a person to disclose material which in fact incriminates that person. The ECHR case of Saunders v United Kingdom confirmed that such evidence would be inadmissable at trial.

Naturally, we wish to assist law enforcement agencies where we are legally required to do so, but once keys have been released it is a fundamental of security that they should be replaced by new, re-secured, versions as soon as is possible.

Encryption keys are valuable things. As the technology becomes more widely available and easier to use we will be encouraging everyone who communicates with us to use strong encryption. This will inevitably mean that people will entrust information to email that they would not do today. We have grave concerns that by disclosing our keys to outside agencies, we will increase the risk of outsiders gaining unauthorised access thereby compromising the privacy and security of our customers.

We would very much prefer to be handing over plain text, even if in some circumstances we had to do it extremely promptly. We note that the proposed US legislation will work upon these lines - allowing those upon whom a notice is served to choose the path of minimum disruption. If there are extreme circumstances where, perhaps for reasons of timeliness of decryptions, only the handing over keys makes practical sense, then there should be a test of reasonableness in making such orders and they should be capable of being challenged as necessary. Making a special change of our keys to protect our interests, after investigations are complete, will be an expensive proposition and should be reserved to those cases where it is absolutely unavoidable rather than for trivial reasons.

There will be a need for a degree of education of those charged with exercising these powers. We are particularly concerned that we will end up in Court for failing to comply with Section 10 notices. In the past the police have (understandably) shown a lack of understanding about the way our business works. At least initially we expect to receive Section 10 notices referring to keys that we do not possess because our customers hold them. We would not expect to run cryptographic services that required us to hold keys on behalf of customers because of the difficulty of showing that we had not released them. However, the fact that we do not hold customer keys might not be apparent to an outsider and so we must expect to have to defend ourselves for failing to comply with a Section 10 notice. Instances of misunderstanding can be reduced by a process of educating and informing law enforcement agencies and we would urge Government to make provision for such measures in advance of the legislation coming into force.

We are also concerned that the statutory defence under section 12 (2) (a) will be remarkably difficult defence to use because one has to prove a negative. We believe that it should be for the prosecution to show that we had the key, rather than the other way around. The burden of proof should lie with the prosecution but the current wording of the Bill suggests that this position will be reversed.

We believe that the "tipping off" clause will cause us considerable operational difficulties and these problems will be far worse for smaller ISPs. Consider what happens when a Section 10 notice, complete with gagging order, is served upon an individual within the company. We are of a size to have an in-house legal team to turn to - so there is some chance of proper procedures being followed. Smaller ISPs will have to spend money on outside legal advice - it will not, for example, be allowable to consult a central pool of expertise within the industry, such as LINX or ISPA because the only person you can talk to is your legal advisor.

However, if there are technical issues to be resolved before a key can be released then the legal people may not be able to help and it could be an offence for the individual to discuss even the existence of the Section 10 notice with technical colleagues. If these colleagues notice the release of the key then this may lead to a report to management or even the police for criminal activity - charges which an individual cannot defend themselves from without committing a "tipping off" offence.

It is unclear to us why a specific "tipping off" offence is required rather than relying upon a more general offence of Obstructing the Course of Justice. If there must be a specific offence then it should be far more narrowly drawn so as to relate to passing information in such a way as to prejudice an investigation. We believe that the blanket ban on discussing the notice goes beyond what can be justified and will make our business far harder to run.

We read the clauses on safeguards most carefully. However, despite careful searching we can see no statutory requirements for protecting divulged plain text - clause 15 deals solely with looking after keys. This is highly unsatisfactory. The very fact that a communication has been encrypted would suggest that the author regards its contents as sensitive and it ought therefore to be protected. We are dismayed to see that although there will be a code of practice it is explicitly stated in 16(10) that it will not make those who breach it liable to criminal or civil proceedings. As stated above, keys are valuable. Those entrusted with their custody ought to be accountable.

We are concerned that the chairman and members of the Tribunal will be relatively ignorant of cryptography and inexperienced in this field. While it will be necessary to have a chairperson experienced in judicial matters to handle complaints about the exercise of powers under the Bill, urgent consideration should be given to allowing the Tribunal to co-opt lay members more experienced in cryptography and e commerce.

We are concerned that there is a gap between the Courts and the Tribunal. It is clear that where courts have made a decision about Section 10 notices then this decision can be appealed in the normal way. Where the Secretary of State makes a decision then the Tribunal has jurisdiction. However, there are some scenarios in Schedule I where senior police officers, and others, can make decisions. These decisions do not seem to be properly covered since the Tribunal cannot address them.

Finally, we would suggest, as we did in response to the IOCA consultation, that it is inappropriate for elected politicians to be making decisions on matters such as Section 10 notices. These notices should be coming from the judicial system and not from the current incumbent as Home Secretary.

Part IV - Miscellaneous and Supplemental

Part IV contains definitions and matters such as citations, but the substantive material relates to amendments to the Telecommunications Act 1984.

Although Thus supports the Government's policy objective of simplifying the regulatory regime we have serious concerns about the proposed mechanism for appeals against licensing changes. The telecoms industry in the United Kingdom has gone through a period of extensive licensing change over the last 18 months and a period of stability and regulatory certainty is now required. We believe that the proposed mechanism is flawed and should be considered further before it is laid before Parliament.

Given the substantial amount of change to licences in recent months we do not understand the DTI's urgency in bringing forward this new procedure. Given that telecoms licences have only just been extensively modified we are not sure what further changes the DTI believes will be required in the near future. The subject is of sufficient importance to justify taking time to consider fully what changes are required rather than proceeding with proposals as flawed as those currently in the draft Bill. Proper consideration is vital if a process which is fair and effective is to be produced.

In the consultation document, it was suggested that one of the motivating factors behind this part of the legislation is concern an individual licensee is presently able to delay a large scale licence modification. We acknowledge that this a shortcoming of the present system but one that could easily be overcome by amending the current system so that an operator's failure to respond to a modification notice would amount to a deemed consent. The procedure set out in the bill is, we believe disproportionate.
Where a licence modification seeks to implement the terms of an EU directive, the licence's consent is not required and an operator could not prevent its introduction.

The wholesale removal of operators' rights to object to a licence modification is, we believe disproportionate and unwarranted. Experience to date has shown that operators do not lodge spurious appeals to the MMC in order to delay licence modifications. Such referrals are costly both in terms of resource and finance and are not entered into lightly.

Thus is also concerned that the proposed scheme lacks clarity and certainty. The bill uses the term "significant minority" but operators have no means of assessing what the term means in terms of the number of licensees this might represent. The introduction of a procedure which leaves such important matters to be determined at a later dates is, in our view, simply unacceptable.

On the assumption that Oftel would take into account the position of a licensee and the market size in assessing the definition of a "significant minority" we are concerned that the bill in its present form would withdraw the automatic right of appeal from all operators except BT. This would provide the dominant operator with a greater ability to resist licence modifications than other operators. In our view this is discriminatory and would also distort competition.

We fully support the government's contention that regulation must be flexible and responsive to change but we believe that the current proposals are deeply flawed. The perceived problem with the current system (that a single operator can effectively delay or block an industry wide licence change) can be overcome by adopting a system of deemed consent where the operator fails to respond to a notified licence modification.

Conclusions

We believe that this Bill requires amendment in a number of areas before it can be presented to Parliament.

Part I is unnecessary, since even the Government wants to see self-regulation or indeed co-regulation as espoused in "e-commerce@its.best.uk".

Part II is intended to remove doubt about electronic signatures but we have doubts about the clarity which it achieves in its present form.

Part III has the potential to make criminals out of innocent people caught up in a crime. The provision of keys to law enforcement is a significant risk to company infrastructures and there are no tests of reasonableness in the issuing of demands nor proper provision of safeguards when keys have been divulged.

The proposed appeals procedure set out in Part IV is fundamentally flawed. We are not convinced that it is required, although we accept that reform is necessary. The proposed mechanism lacks clarity and would lead to uncertainty of regulation at a time when the industry requires clarity and certainty. We strongly urge the DTI to reconsider this part of the Bill and to consider as an alternative, amending the current system by moving to a deemed consent procedure for licence modifications.

We would urge the Government to take note of the comments received from industry and to reflect these in the legislation which is finally laid before Parliament. The legislation ought to speed the UK on the course we all desire, of being the best place in the world to conduct business on line.

Thus plc
25th October 1999