E-commerce: debugging legacy legislation

Legislation will be introduced to promote electronic commerce and start modernising the law, improving competitiveness by enabling the United Kingdom to compete in the digital marketplace.1

On 23 July 1999 the Government published the draft Electronic Communications Bill2.  Its appearance marks the next stage in a consultation exercise stretching back more than two years into the tenure of the previous administration.  It represents the Government’s latest attempt to produce a framework within which e-commerce will thrive, so as to achieve their aim that the UK should become the best environment for electronic trading by 2002.

The draft Bill (“the draft”) covers registration of cryptography service providers, the admissibility of electronic signatures in evidence and a power to create delegated legislation to facilitate the use of electronic communication or storage.  It also introduces new powers for disclosure of cryptographic material and related offences.  Although these issues may be new to many in the profession there is no doubt that all practitioners will require at least a passing acquaintance with them whether or not any of the provisions in the draft make it through consultation and ultimately into law.  We are likely to see exponential growth in the use of the Internet for e-commerce over the next five years at similar rates to the present take-up of home Internet access.  Techies will view our existing rules as a “legacy system”, based as it is on paper and pen, which now requires a rapid upgrade.  The law must adapt.

A brief guide to computerised cryptography

The Internet is a public network of computers.  Sending an electronic message across this network, for example by e-mail, is akin to chopping a letter up into a number of packets, addressing each and having them passed hand to hand by a chain of carriers to the destination where the message is reassembled. While the message is travelling any or all of the packets could be intercepted and read.  This arrangement can be contrasted with conventional mail where there is often a single carrier and sealed letters remain largely confidential.  Computerised encryption allows messages to be encoded so that they are unintelligible to an intercepting party.  Only a person holding the code-breaking “key” may decrypt them.

Obviously an intended recipient might not have the key.  It would be unwise for the sender to transmit this across the public network as it, too, could be intercepted.  Consequently a dual system of “public” and “private” keys has become popular.  In this system a person who wishes to receive confidential messages creates a key pair and publishes the first key either on their computer network or on a third party’s system.  Their other key is kept private.  The public eye can be used by anyone to encrypt messages which can only be decrypted with the private key.  Thus, the sender uses the recipient’s public key to encrypt the message.

Dual key encryption can also be used to generate digital signatures.  These are produced by the sender encrypting a digest of a message with his private key and sending the digest along with the original message.  The digest may be decrypted with the sender’s public key and compared with the message.

Comparison allows the recipient to determine whether or not the message has been altered or its integrity and the identity of the sender, since only the private key could have encrypted the digest.  This goes beyond what a manual signature can achieve and in particular it prevents repudiation of the message by the sender provided the private key has been kept securely.  Digital signatures look nothing like a manual signature.  Instead, they have the appearance of a computer file which is attached to the e-mail.

Encryption users require confidence that a key belongs to the person by whom it bears to have been published.  As a result third parties have begun to offer cryptography services.  These range from verifying identity and holding a person’s public and/or private keys to generating the key pairs themselves or issuing certificates linking a user’s identity to a specific public key.  One slightly unusual consequence is that the recipient of a signature who approaches a third party for verification generally relies not on any service provided directly but rather on the service which the third party provides to the signing party.

The draft Bill

As e-commerce increases so the number of people requiring encryption services will grow and the draft seeks to deliver a “kitemark” style assurance to qualifying service providers.

Part I introduces a voluntary approval and registration scheme for providers of cryptography support services (“CSPs”).  CSPs would seek approval by application to the Secretary of State or a person delegated by him.  Regulations will prescribe technical and other requirements to be met by CSPs together with a mechanism for determining a pass or fail.  Some commentators3 had indicated a concern that these regulations might require CSPs to operate key escrow, the depositing of encryption keys for later retrieval, possibly by law enforcement agencies.  The last Conservative administration had proposed that this be part of a mandatory licensing regime and the present Government, while not endorsing that regime, had promoted key escrow in the past.

While it may help law reinforcement, mandatory key escrow would have a negative effect on e-commerce.  It has the potential to deny users the guaranteed privacy which they may require for business operations.  If key escrow were to be introduced by regulations an approved CSP might not be capable of the same degree of trust as an independent provider.  Not only might they be obliged to hand keys over to a law enforcement agency, they may also be subjected to greater attack by individuals who are aware that they are holding these keys and as a result will require even greater security.  Happily the Government has now indicated that notwithstanding the rather open terms of the draft they do not propose that key escrow be part of the approvals regime4.  This may provide some comfort to proponents of civil liberties but as will be seen from consideration of the later provisions, the Government is seeking a new key disclosure weapon which could have a dramatic effect on users’ privacy.

The draft attempts to be technologically neutral in its definitions of a cryptography support service, prescribing what it must achieve rather than the nature of the technology itself.  The definition can be summarised as: the securing of communications by encryption for access by certain persons only or so as to allow authenticity or integrity to be ascertained.

In the case of present technology this would include the production and management of public and private keys and the registration and issuing of certificates of identity.

Some commentators suggest that introducing approved CSPs would create a two-tier system in the UK because services or products which are not approved will not be accorded the same status by the public after the legislation comes into effect.  To be fair, it is difficult to imagine how the Government could have avoided this in introducing any proposed approval scheme.

While the draft is careful not to prescribe what weight should be placed on any kind of electronic communication or cryptography service, whether approved or otherwise, some freely available software could fall prey to a two-tier system.  One such product, PGP (pretty good privacy), allows the user to produce his own dual keys.  It would be disadvantageous to smaller businesses if they were prejudiced by their use of such a free but entirely effective system because the product does not spring from an approved provider.

Part II of the draft deals with facilitation of e-commerce.  Although rather innocuous at first sight it has the potential to radically change the whole body of law on requirements of writing by enabling delegated legislation for legal recognition of electronic communications.  Clause 7 provides that in legal proceedings electronic signatures or their certification will be admissible in evidence in questions of the authenticity or integrity of an electronic communication.  As no guidance is provided for the Court on the weight it should give to such evidence some might say that the provision adds nothing to the present position whereby it is perfectly competent to lead computer-based evidence in order to set up the integrity or authenticity of all kinds of communications.  In the course of the original consultation exercise5 the Government proposed a rebuttable presumption that an electronic signature meeting certain conditions acted to identify the signatory and guaranteed the integrity of the message.  Of the responses received the majority were in favour of this presumption but it has been abandoned following a shift of opinion during later consultations.

Clause 8 provides a power whereby Ministers may modify legislation by statutory instrument to authorise or facilitate electronic communication or storage.  Provisions which may be affected are those where writing, posting or delivery, signature or witnessing, statements of declarations, keeping of records, publication of information or making of payment are required, provided that the Minister must be satisfied that any electronic scheme he introduces is capable of providing records of everything done.  Guidance is given as to the kinds of provisions which may find their way into an order, including the precise form of the electronic alternative, conditions for its use and the manner by which its use would be provided in litigation.  Subject to the consent of UK Ministers, Scottish Ministers are empowered by Clause 9 to make appropriate amendments to Scots law by Scottish Statutory Instrument.  Consent is required as the power would extend to matters reserved to the UK Parliament. 

Clause 8 is disappointing in that although it promises fundamental legal change at some point in the future it does perhaps delay the implementation of the Government’s stated policy on e-commerce.  This can be contrasted with draft primary legislation currently under consideration in Ireland6 which puts forward a rule that an electronic signature will be competent for any purpose for which a signature is legally required with specific exceptions for testamentary instruments, trusts, powers of attorney, interests in real property and affidavits.  The rule may be extended to those instruments in the excepted class by delegated legislation.  Full consideration of the Irish draft is beyond the scope of this article but for those interested it is suggested that a comparison of the UK and Irish approach will be instructive.

Part III of the draft has nothing to do with e-commerce.  It is concerned with law enforcement issues relating to encrypted material.  It is interesting to note that this part of the draft contains around the same amount of material as Parts I and II put together.

Put briefly, this part envisages the situation where the authorities, say an intelligence agency, the police or customs and excise, come across encrypted material during an investigation.  Certain authorised persons can order the holder of the material to decrypt it or to hand over their decryption key.  The order can require that its existence be kept secret so that effectively the holder can inform nobody, other than his solicitor, that he has received it.  New offences are proposed of failure to comply with an order and of “tipping off” any person about the existence of a secret order.  These carry maximum terms of two and five years’ imprisonment respectively.

There is a statutory defence available to those who have informed others of the subsequent insecurity of their keys provided the disclosure happens “by automatic operation of software”.  If the provisions become law there will undoubtedly be a market for packages which provide this alert facility.  A lengthy series of safeguards are also proposed with the intention of providing public comfort that the use of the new powers will be restricted.  These include statutory duties and a code of conduct for those who are responsible for key recovery, the appointment of a supervisory commissioner and the setting up of a tribunal to hear complaints with power to award compensation.

It is disappointing that the Government should see fit to propose these measures in connection with e-commerce.  The presence of these “cloak and dagger” provisions in what should be positive and upbeat legislation is lamentable.  Politically, it would perhaps have been better left to the review of the Interception of Communications Act.  Latest reports indicate that the Government may well move the provisions over to that statute.

Wherever the contents of Part III end up, if they are passed into law as presently drafted they may have a damaging effect on electronic commerce.  Whilst most would agree that a balance is required between law enforcement and legitimate use of encryption, the draft delivers a bias in favour of enforcement.  One consequence is that private keys will not be fully secure in the UK unless their use is restricted to the generation of digital signatures7.  It does not matter if no decryption orders are made, or if they are only used for cases of terrorism and drug offences.  It is the sheer uncertainty of the security position which could produce a set-back for the e-economy as a whole.

Consider the following examples:

1. The purchasing director of a UK company receives a message encrypted with the company’s public key from a person who, unknown to him, is under investigation.  He may come under investigation himself and might receive a decryption order under which he is obliged to disclose the company’s private key which is used for all of the company’s communications including electronic procurement.  In the meantime, he is not allowed to disclose its subsequent insecurity to third parties.
2. A guilty party deliberately sends a large volume of randomly encrypted material to a series of unconnected third parties so as to keep the investigating authorities busy.  Such innocent recipients may be faced with a requirement to provide that they have never held the key, rather a tall order in any criminal proceedings.

Conclusion

We have come a long way in the legislative process but there is still some distance to travel.  Consultation on the draft concluded on Friday 8 October, although it may be possible for later responses to be considered8.  If a Bill is introduced thereafter it will still require to follow the usual legislative route and only then will the first delegated legislation be passed.  Meanwhile suitable primary legislation may be passed in other countries which does not require subordinate regulations.  By trying themselves up with the negative aspects of encryption the Government appears to have lost sight of the original ideal and in particular the need to legislate for the right environment.  Creating worry in the minds of legitimate users of encryption is not the way to encourage e-commerce.  Unless a speedier, more positive approach is taken we shall not be ready for the e-commerce revolution far less will we be actively encouraging it.

Andrew Lothian is e-business consultant with Henderson Boyd Jackson WS

Footnotes

1. Extract from the Queen’s Speech 24 November 1998
2. The full text of the Bill is on-line at http://www.dti.gov.uk/cii/elec/ecbill.html
   
3. See, for example, Foundation for Information Policy Research’s press release http://www.fipr.org/ecommpr.html(23/07/99)
4. DTI Press Notice (23/07/99) – see Central Office of Information website at http://www.coi.gov.uk
5. Building Confidence in Electronic Commerce – A Consultation Document http://www.dti.gov.uk/cii/elec/elec_com.html (05/03/99)
6. Outline Legislative Proposals on electronic signatures, electronic contracts, certification service provision and related matters http://www.ecommercegov.ie
   
7. Keys used for that purpose only will not be subject to a decryption order but it is worth noting that the popular PGP software uses one key pair for both encryption and digital signatures, rendering the average user subject to a decryption order.
   
8. Any comments should be sent in writing to Stephen de Souza either by electronic mail (preferably in Word 6.0 or text format) to ecbill@ciid.dti.gov.uk or to:Communications and Information Industries Directorate, Department of Trade and Industry, Room 220, 151 Buckingham Palace Road, London SW1W 9SS