Now the E-Commerce Bill is Published, What Next?

Ross Anderson

A heavily subedited version of this paper was published in `Computing', 5 August 1999 pp 10-11, under the title `Will the etrade bill help or hinder you online?'

The recent publication of the government's Electronic Communications Bill is the latest step in the long-running row over control of cryptography. It will give ministers broad powers to control the use of encryption in electronic commerce, and it has met with a mixed reception from industry.

While the Bill was welcomed by Microsoft's UK Chairman David Svendsen as a ``golden opportunity'' for Britain to become an ecommerce hub in Europe, it has been denounced by Sun whose spokesman said of the government ``It seems to me they're still not working on Internet time.''

The CSSA takes the middle view. Their policy manager Richard Sullivan is concerned ``that the tone of the Bill, with its concentration on legal liability and the prevalence of statutory instruments, may not help to fulfil the government's aim of making Britain the best environment in the world to trade electronically.''

The questions the average IT manager will ask are firstly, what does the bill do; secondly, how will it affect me; and thirdly, what happens next?

What does the bill do?

Since the mid 1990s, civil servants have tried to stake out a claim to cyberspace by advocating legislation to restrict the use of cryptography on the Internet. The Conservatives proposed compulsory licensing while they were in Government, but recanted in opposition. Labour opposed controls in opposition, but have produced a series of proposals for legislation now they are in Government.

Their theme is that licensing will be voluntary; it will cover both the encryption mechanisms used to provide confidentiality and the digital signature mechanisms used for authentication; but various sticks and carrots will be used to favour particular products and services.

What industry most wanted from the Bill was an end to legal uncertainty. There are many laws and regulations which require that particular business transactions involve `writing' or a `signature' (according to the Society for Computers and the Law there are about 40,000 such references). In the past, special regulations or even laws had to be passed to permit particular systems (such as the Bank of England's CREST system for the electronic registration of shares). Now that thousands of businesses are trying to move online at once, there could be legal and regulatory chaos.

So industry had hoped the Bill would say that wherever an existing law or regulation made such a reference, then electronic writing or an electronic signature would be sufficient. But the bill is not that courageous; it merely gives ministers the power to make regulations for the industries in their department's area of interest. But there is no deadline for laws to be updated, and there appears to be no central coordination. So even though the bill may facilitate digital signatures, their adoption could take some time; until the relevant department gives its approval the legal situation may be uncertain. Also, civil servants could easily miss some existing laws and leave some industries relying on invalid electronic documents.

Most of the public controversy has focussed on the law enforcement provisions of the bill. The police and intelligence services claim that the widespread use of encryption could interfere with their operations. This has not happened so far: the crooks' favourite means of secure communication is the prepaid mobile phone, which makes it hard for the police to work out which phones to tap. Nonetheless, the Bill gives the authorities draconian powers to require anyone to decrypt information. This could be extremely inconvenient for IT departments as regulations may impose a duty to keep all encryption keys in case they are required by the police, and to have staff with a security clearance to hand them over. If keys are lost, if staff fail to comply, or if anyone learns that a wiretap is in progress, then prosecution could follow. The cost of changing keys after an investigation is over could also be high.

A broader concern is that the Bill gives ministers and officials too much power to interfere and regulate. There are provisions for companies who sell security services to have them approved, and thus get a `kitemark' to boost customer confidence. Products can be controlled by attaching conditions to the approval of service companies. The concern is that this may get in the way of business and economic growth. Caspar Bowden, Director of the Foundation for Information Policy Research, said: ``Electronic businesses can trade from anywhere in the world. Threatening a mountain of red tape will cause e-business to move to places with a more supportive climate such as Ireland or Canada.''

How will it affect an Average IT Manager?

Rather than setting out a regulatory regime, the Bill gives ministers the power to make regulations. So business will not know what to expect until after the Bill is law, and the regulations are finally published.

Meantime, there is an optimistic view of the Bill's likely effect on the industry, and a pessimistic view.

The optimist's view is that ecommerce is intrinsically international, and the UK with about five percent of the world software market has little influence. So the industry's de-facto standards will continue to be set by whatever products succeed in the US marketplace, and UK regulation will have to follow. But optimists hope that the Bill will bring the long debate on encryption policy to an end, by enabling ministers to `declare victory and go home'. One former DTI minister said, on condition of anonymity: ``You must understand that all the DTI wants is to get the Home Office off its back on this issue.''

The pessimist's view is that the regulations which civil servants will be tempted to make will cause all sorts of problems. For example, DTI officials have declared that they will favour large firms over small ones as approved providers of cryptography services. Is it fair to favour BT over the smaller, more entrepreneurial ISPs, and what will the effect be on business if the number of suppliers is artificially limited?

Another likely problem is that the regulations may demand that cryptographic keys are managed centrally. This could be expensive for organisations whose staff are managed locally. The police and intelligence services make no secret of their wish to get information from a single point in each large company (or even each industry), rather than having to deal with branch managers. After all, the branch manager might be the key suspect. In a separate initiative, GCHQ is pushing for a single key management centre for the NHS, rather than letting individual hospitals and surgeries manage their own keys. If this is the approach ministers take when writing the e-commerce regulations, it could be bad news for the retail and building trades, for banks and even for government itself.

We can also expect controversy over any technical standards which are bundled with service approvals. For example, electronic applications to the DTI for research grants have to be made in Microsoft Word format (which infuriates Unix-using academics); meanwhile, most lawyers use Word Perfect, so the Lord Chancellor's Department might require this format instead for electronic writs (which will upset Microsoft). At best, there is much scope for confusion; at worst, the new powers may be used to impose inappropriate standards over the protests of user communities.

Civil servants have a poor track record at picking standards; for example, going for X.400 electronic mail systems just as the rest of the world moves to SMTP. Giving them arbitrary power to impose technical standards as a condition of the legal validity of electronic documents seems to be asking for trouble.

Another question mark hangs over the very large numbers of existing encryption systems in applications ranging from Windows 2000 and Lotus Notes to cash machines, burglar alarms and prepayment electricity meters. Users cannot in practice change how these systems work, and their vendors are usually not interested in redesigning them specially for the UK market. Here, too, regulations had better follow industry practice, rather than try to dictate it.

Finally, the Bill itself is rather poorly drafted. Nick Bohm, one of the Law Society's experts, points out: ``The bill makes electronic signatures admissible in evidence if they are contained in messages, but not if they are only contained in electronic documents. This is bizarre.'' Even the most basic definitions are unclear; for example, `electronic signature' has two different definitions (clause 7.2 and clause 19.1). This confusion was one reason the Conservatives refused to allow it to be pushed through quickly. Alan Duncan, their frontbench industry spokesman, described the Bill as a ``dog's breakfast''. ``We need a simple three-page bill,'', he said, ``not a 30-page bill''. In his view, the law enforcement measures should be dealt with separately.

What Happens Next?

Most IT managers will push ahead with their e-commerce strategies in the hope that things will somehow get sorted out. But there is still time to influence the development of policy.

The Bill has been published for consultation, and comments are due by Friday 8th October. The debate will be lively because of some of the more extreme wiretapping provisions; for example, if you are served with a notice requiring you to decrypt some message for which the police believe you possess a key, and you don't have it, then it is up to you to prove that. The Conservative view is that this reversal of the burden of proof ``means the innocent are presumed guilty''.

Decryption notices can also be made secret so that you cannot complain to anybody about them. There is discussion on the mailing lists of whether you are allowed to seek legal advice, whether changing a compromised key could amount to an offence, and indeed whether the provisions conflict with the European Convention on Human Rights.

Cynics may suggest that the most objectionable conditions have been inserted merely as a sacrificial ploy; they could be removed in the final text in order to undermine opposition and sideline all but the core of diehard critics. But what is clear is that this bill will be important to business. So before it is set in stone, IT managers might care to work out how it will affects their operations.

Links to the bill, responses to previous consultations, the Trade and Industry Select Committee report and supporting materials can be found here.

Dr Ross Anderson is Chairman of the Foundation for Information Policy Research. He also leads the computer security research group at the University of Cambridge Computer Laboratory.