The Government invited comments on the consultation paper, in particular with respect to the thirteen questions (referred to by the relevant paragraph numbers in this table) given in Section VII of the paper. The following is a summary of those responses. Questions Responses Notes Whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate (Paragraph 50) 77% agreed 14% disagreed 9% did not comment Whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of 'rebuttable presumption' for recognition of signed electronic documents (Paragraph 54) 37% preferred contract 54% preferred rebuttable presumption 9% commented neither way Most of those that preferred the contract approach also wanted more assurance that the courts would indeed accept electronic signatures The appropriateness of the proposed arrangements for licensing and regulation (Paragraph 60) 40% agreed with the proposed arrangements 42% disagreed with the proposed arrangements 18% did not comment Most of those that disagreed would accept a less strict form of regulatory regime. Views on the proposed conditions (Paragraph 65) 44% agreed with the proposed conditions 27% disagreed with the proposed conditions 29% did not comment One of the main reasons for disagreement was that the conditions would be too expensive to meet. What if any, specific exemptions for particular organisations offering encryption services would be appropriate depending on the nature of the services offered? (Paragraph 70) There were a number of organisations who specifically wanted their own services excluded for confidentiality reasons. There is some correlation between the responses requesting exclusion and the notion of having a two or more tiered licensing regime e.g. minimum exclusions for 'CA only' type services and maximum exclusion for confidentiality services. Whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK? (Paragraph 71) 37% agreed 16% disagreed 47% did not comment One of the most common comments was that that international harmonisation was important. Questions Responses Notes Should electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP be introduced? (Paragraph 80) 65% agreed 16% disagreed 19% did not comment Those that disagreed did so mainly because they did not approve of the principle of lawful access. Does the legislation specifically need to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy? (Paragraph 82) 44% agreed 21% disagreed with the need to refer to other forms of legislation 35% did not comment Should deliberate (and perhaps wilfully negligent) disclosure of a client's private encryption key be a specific criminal offence, or would existing civil and criminal sanctions suffice? (Paragraph 84) 51% thought that it would be a specific criminal offence 19% thought that existing sanctions would suffice 30% did not comment Many did not see why this offence should be limited to just private encryption keys. Whether the principle of strict liability is appropriate in these circumstances? (Paragraph 89) 45% agreed to the need for strict liability 45% disagreed 10% did not comment. Whether, in principle, an independent appeals body (such as a Tribunal) should be created? (Paragraph 91) 47% agreed 14% did not agree 39% did not comment Whether the proposed duties of an independent Tribunal are appropriate? (Paragraph 93) 47% agreed 16% disagreed 37% did not comment Would mandatory ITSEC formal evaluation be appropriate? (Annex C) 21% agreed 44% were against 35% did not comment Some thought that BS 7799 certification might be more appropriate. Some thought that the use of ITSEC would be acceptable for mandatory licensing, but others thought it was too excessive and expensive. ANNEX C DTI Public Consultation Paper on Licensing of Trusted Third Parties for the Provision of Encryption Services Summary of Responses Introduction 1. There were 260 responses, 129 by conventional mail or fax, and 131 by e-mail. 102 were from organisations, and 158 from individuals. Many expressed their views strongly. Some were very short and some very detailed. Some comments appeared to be based on misconceptions, and some respondents seemed not to have fully read the paper. Only a few approved the proposals without qualification. However most approved the idea of licensing TTPs, with consumer protection as the main rationale. Most had some criticisms of the document, and some rejected it almost entirely. 2. A large number of responses began by welcoming the fact that a consultation paper had been produced at all on this topic. They stressed the importance of electronic commerce and recognised the need for a supporting infrastructure. 3. The most common general criticism was that the paper should have more clearly separated the issue of the licensing of TTPs (in particular in their role as Certification Authorities, e.g. for digital signatures), from that of lawful access. These issues were seen as quite distinct in principle, and best addressed separately. 4. The only aspect of the document to receive almost universal approval was the proposal to legislate for recognition of digital signatures by the courts. With regard to the authentication of digital signatures by licensed TTPs, a majority favoured the 'rebuttable presumption' mechanism over the alternative of enabling or encouraging contractual recognition. 5. The following paragraphs cover the other major issues commented on by the respondents. Responses to the specific questions posed in the consultation paper are summarised in tables on pages 4 and 5. Mandatory versus Voluntary Licensing 6. Among those who approved of the licensing of TTPs, a significant and weighty minority argued for voluntary licensing, even though this was not explicitly discussed or put forward in the paper. There was felt to be a place for unlicensed TTPs if the market wants them. There were many calls for clarification of the suggested exclusions from the licensing regime, and several respondents asked for their own exclusion. One of the reasons for advocating voluntary licensing was this difficulty of defining exclusions. 7. There were fears that the proposed licensing conditions would be too burdensome and costly. A tiered approach was advocated by some, with varying TTP licensing conditions depending on the range of functions offered. There were many pleas from business organisations for the maximum amount of freedom to be left to the market, and many expressed confidence that in this fast-changing area market mechanisms would produce the most effective solutions. However the Data Protection Registrar, referring particularly to the requirement for consumer protection, broadly supported the licensing proposals. Sanctions, and Prohibitions 8. Most respondents thought that new criminal offences would be needed to cover the deliberate or reckless disclosure of a user's private confidentiality key, and most insisted the offence should also cover authentication keys. There was little support for relying on the UK Data Protection Act 1984 or the UK Computer Misuse Act 1990 as these were seen as not being adequate for this type of offence. Liability 9. A common view from industry was that the paper should have discussed liability in an authentication/integrity context (e.g. liability for falsely authenticating a digital signature), and not just confidentiality. There was no consensus on strict liability, nor on limited versus unlimited liability. Industry considered that the market would probably produce a spread of possible options with grades of liability to match level and types of service. International Issues 10. Business respondents in particular were concerned that any UK initiative, such as a TTP licensing regime, should be consistent with requirements in other countries and should be able to inter-operate with them. The danger of international isolation from too strict a UK regime, or a unilateral one, was stressed. The UK should proceed in collaboration with the international community otherwise there could be a danger that it would become a backwater in the world of electronic commerce. There was much support for the OECD Guidelines, and for the UK to act strictly in accordance with them; most, but not all, respondents saw the paper as conforming to them. Lawful Access 11. The issue of access to keys for law enforcement purposes attracted by far the most comment - particularly from individuals. Much of it was fundamentally opposed to the whole concept of lawful access, and either explicitly or implicitly also rejected the existing powers for lawful access to traffic under the Interception of Communications Act (IOCA). Some saw it as an extension of IOCA to stored data. There was some suspicion of the authorities' motives, and of the possibility of them misusing their powers with regard to lawful access. There was suspicion also that the proposals would result in a significant increase in the volume of official interceptions or surveillance. 12. Many of the more technical responses questioned the effectiveness, or even the feasibility, of the key escrow proposals in the paper. Comments included: it was wrong to make the assumption that TTPs would normally need to hold users' private keys; escrowing of private keys is contrary to absolutely basic information security precepts; TTPs would constitute a single point of security vulnerability, and be an attractive target; it was wrong to make the assumption that users would normally have separate key pairs for authentication and confidentiality ; it was unclear whether a warrant would result in a session key being handed over, or a master key of some kind. If the latter, then any time limit specified in the warrant could be ignored; the design, implementation and operation of the systems necessary to make TTPs with key escrow workable would involve an unacceptable degree of pioneering and complexity; in conventional public key systems, warranted access to a user's private confidentiality key would only enable decryption of their incoming traffic - to enable decryption of their outgoing traffic would require a warrant to each of their correspondents' TTPs. In addition, the merits of key recovery over key escrow were argued, although there were varying understandings of those terms. 13. By far the most common single point made against the lawful access proposals however, was that the key escrow mechanism might be by-passed by criminals etc. who are the authorities' potential targets. Examples of several such by-pass techniques were given. The answer to this objection given in the 'FAQ' section of the paper ("Criminals will often make use of whatever technology is conveniently available to them...") was not considered convincing. The conclusion drawn was that the proposals would bring cost and complexity to law-abiding users while not necessarily achieving the results the law enforcement authorities want. 3rd February 1998