Presentation by Nicholas Bohm

The Law Society of England and Wales

To Scrambling for Safety II

May 29, 1998

The Law Society, and the profession it represents, view the conference topics from three aspects:

A    As users, concerned with confidentiality and legal professional privilege.

B    As advisers to the private citizen, concerned with

C    As advisers to commerce and industry, concerned with the effective development of commercial law

A    As users: confidentiality, legal professional privilege

Privilege belongs to the client Electronic mail must be used with due regard for confidentiality Given ready availability of e.g. PGP, lawyers have a duty to be secure in their use of email.
Given the special position of privileged material, it is inconsistent with a solicitors's professional duty to provide any general access to private confidentiality keys.

Given the low risk from loss of access to communications (as compared with stored data), since communications can be repeated, there is little benefit from key recovery or key escrow services.

Given that there is little benefit from key recovery or key escrow services, there is no possible justification for lawyers exposing private confidentiality keys to risk of third party access.

In any event, access to private confidentiality keys (whether through escrow or under a warrant) is plainly excessive, because it gives access to all communications to the owner of the key, not just to messages where this is justified by law enforcement requirements.

The proposed legislation requires scrutiny in due course to ensure that:


B    As advisers to the private citizen

The combination of electronic mail with secure encryption brings the benefit of genuinely private telecommunications within public reach for the first time

In the context of crime prevention and detection, this offers two significant advantages:

It also brings a drawback:  secure communications between criminals.  But this drawback is already unavoidable, and no practicable legislative measures can change this.  Pandora's box is already open.

What about secure communications between criminals and honest citizens (banks, doctors, travel agents, car hire firms)?

What about the citizen facing a warrant? It is disappointing, after such long consideration, and the fact that the Law Society's submission to the DTI identified a suitable statutory model, to find the DTI Statement offering so little detailed consideration of important practical issues affecting the liberty of the citizen.

C    As advisers to commerce and industry

May 1997 Report of the Society for Computers and Law Legislative Working Party on Digital Information and Requirements of Form provides an excellent summary of the relevant law and references to sources.

Contracts can be made by word of mouth, by gesture (as in auctions), by telegram, by telex, by fax:  it is simply absurd to doubt that they can be made by electronic mail.

Some things have to be done in writing; for example:  guarantees; wills and codicils; tax returns; and transfers of property such as debts, copyright, patents and land.

"Writing" is generally defined too narrowly to include electronic documents (Interpretation Act 1978, Schedule 1).  Oddly, the definition in section 178 of the Copyright, Designs and Patents Act 1988 is wider:  copyright can be assigned by an electronic document, but a patent cannot.  There is no sense in this distinction.

The problem of the unsatisfactory definition of "writing" is well known, easy to understand and easy to remedy.  It is disappointing to find it not even mentioned in the DTI Statement.

A signature is any mark used to show adoption of a document.  Rubber stamps, mechanical signatures, names typed in telexes and names in faxes have all been accepted by the courts.  There is no real reason to doubt that a digital signature is a signature; but legislative acknowledgement could smooth the path of acceptance.  The draft EU Directive, Article 5, identifies the requirement plainly and clearly.

The central legal problem of electronic commerce lies not in acceptance of digital signatures but in their revocation.  Given insecure operating systems and the ease with which weak passwords can be guessed, there is a real risk of unauthorised access to keys and consequent undetectable forgery.

If a bank honours a forged cheque, it carries the loss however good the forgery and however careful the bank.  But for any form of signature other than handwriting, banks use contract terms to transfer the risk to the customer.  Other businesses will almost certainly adopt the same approach to digital signatures.  So the owner of a key will carry the risk of forgery if there is unauthorised access.  This should be seen as a major obstacle to the consumer confidence on which the development of electronic commerce depends.

It therefore seems essential for the user to have a reliable means of revocation.  This might be by direct communication to anyone to whom the user has given the public key; but what about those who have retrieved the key from a key server?  A highly reliable central service accessible online to all users for automatic checking might be considered, backed by some legal basis enabling the user to be certain that notice of revocation to that service will bind all other users.

Users cannot be expected to carry the risks of key compromise unaided given the insecurity of current systems.  If commerce and industry were to unite round a code of practice limiting a consumer's risk to a small fixed amount (as is the practice for ATM cards), users might have the necessary confidence to use digital signatures, and commerce and industry might have the necessary incentive to support satisfactory means of revocation.

Alternatively, much more secure means are needed for the protection of private keys.  At some cost, smartcards using biometric techniques might offer a solution.  The solution is likely to emerge much sooner if commerce and industry bear the risks of insecurity than if they can leave those risks to be borne by consumers.

These important and difficult issues are likely to be important for the development of successful electronic commerce, but they do not seem to receive adequate recognition in the DTI Statement.

By contrast, signature certification receives altogether excessive attention, despite being fundamentally peripheral in its importance.

It is important to notice how few ordinary signatures are backed by any kind of authentication. Even for documents which are witnessed, or for those sworn before a Commissioner for Oaths or a solicitor, there is no authentication of the identity of the signatory or the deponent.  Numerous other examples can be offered:  the Land Registry does not know the signatures on the land transfers it registers; companies do not know the signatures on share transfers they register; the Registrar of Companies does not know the signatures of directors or company secretaries on the returns they file.

Only notaries commonly take pains to check evidence of the identity of those who appear before them, and the transactions in which they act represent a very small minority of all transactions.  To insist on the cardinal importance of general signature  certification for electronic commerce is equivalent to suggesting that all commercial agreements should be signed before notaries.  It really is remarkable that the regulation of a non-existent industry of strictly limited importance should have generated such widespread and heated debate.

It is impossible to account for this phenomenon unless one observes the advantage for law enforcement access to private keys which flows from a scheme where successful applicants for accreditation are obliged to impose on their customers a requirement for the deposit of private confidentiality keys.  Once again, the law enforcement tail is trying to wag the electronic commerce dog.

Fortunately the draft EU Directive limits the freedom of EU member states to pursue this objective.  The draft requires that digital signatures do not depend for their validity on a certificate, and that certificates do not depend for their validity on having been given by an accredited CA.  Article 5 of the draft deserves strong support for this insistence, and in general for the limits it places on the freedom of member states to pursue law enforcement objectives in the context of electronic commerce initiatives.  It is disappointing that the EU draft fails to recognise the importance of revocation issues, and this is one aspect on which efforts to improve it should be focussed.

Successful electronic commerce will depend on user confidence in its security.  Government efforts to bootstrap law enforcement benefits out of electronic commerce initiatives will undermine the very confidence that those initiatives need to enhance.  The present Government is still clinging to the wreckage of the last Government's scheme:  it should have the courage to strike out on its own.