House of Commons - Trade and Industry

Select Committee on Trade and Industry Seventh Report

III UK CRYPTOGRAPHY POLICY

History

26. Parliament was first informed that DTI was considering the introduction of measures to regulate cryptographic services on 6 March 1996. Ian Taylor MP, then Minister of State, DTI, said in a Written Answer that "discussions are taking place between Government departments on the provision of encryption services...Such discussions will seek to balance the legitimate commercial needs of the business community, for secure and confidential communications, with those of the law enforcement agencies. Key retrieval services therefore, via a network of trusted third parties, are one of the issues being considered".[61] On 10 June 1996 DTI published a short paper on "regulatory intent concerning use of encryption on open networks".[62] The paper followed preliminary discussions with industry groups about the concepts it set out and promised consultation on detailed policy proposals before legislation was introduced. A detailed consultation document was issued on 17 March 1997, shortly before Parliament was dissolved for the general election. DTI stated that "it will...be important to secure the broad acceptance of the business community for the Government's proposals. The Department will pay particular attention to this during the consultation process".[63]

27. The previous Administration's proposals comprised the following elements:[64]

companies offering cryptographic services to UK customers would require a licence[65]
no distinction was made between CAs and TTPs
in order to be licensed TSPs would need to demonstrate the competence of their employees, their adherence to quality management standards, suitable liability cover and satisfy other appropriate accreditation standards
additionally, TSPs would be required to hold copies of customers' private encryption keys and to provide law enforcement agencies with access to such keys in certain circumstances
development of a global TSPs' infrastructure was envisaged, with international acceptance of key escrow. The need for arrangements to facilitate international exchange of keys was emphasised
export controls applicable to cryptographic products capable of allowing key escrow would be relaxed
there would be exclusions from the licensing regime, particularly for cryptographic services offered within a closed community, for instance intra-company TSPs
there would be a "rebuttable presumption" in law of the integrity and authenticity of an electronic signature certified by a licensed CA
TSPs would be strictly liable for the disclosure or compromise of a private encryption key, but their liability for such occurrences would be limited. A Tribunal system would be established to consider the reasons for the disclosure or compromise of a private key, including whether access by law enforcement agencies had taken place according to due process of law.

The previous Government also suggested that further legislation would be needed to allow law enforcement agencies access to private encryption keys other than those held by TSPs. The issue of whether or not the usage of words such as "writing", "signature" and "document" in statutes would need to be redefined was recognised as pertinent, but no legislative proposals were made.

28. DTI eventually published a summary of the 260 responses to the March 1997 consultation exercise on 27 April 1998.[66] It noted that "only a few [respondents] approved of the proposals without qualification...most had some criticisms of the document, and some rejected it entirely".[67] The issue of lawful access to private encryption keys had proved most controversial. DTI commented that the conclusion to be drawn from the responses was that the key escrow proposals "would bring cost and complexity to law-abiding users while not necessarily achieving the results the law enforcement authorities want".[68]

29. The present Government outlined its policy on cryptographic services on 27 April 1998, linking its initiative to the Information Age strategy announced by the Prime Minister on 16 April 1998.[69] There were some important differences from the previous Administration's policy:

the proposed licensing scheme for TSPs would be voluntary, not mandatory
the Government would recognise the distinctions between different types of cryptographic services, particularly the difference between CAs and TTPs
there would be legislation to ensure access by law enforcement agencies to information necessary to decrypt the content of communications or stored data (eg a private key or password) which would apply to any individual or organisation but which would not cover private keys used to create electronic signatures.

30. Further details of the Government's intentions emerged in various meetings between DTI officials and industry representatives during the second half of 1998, particularly a conference on 19 October 1998. A crucial detail absent from the 27 April 1998 paper was that there would be an "all or nothing" approach to licensing. Firms seeking to offer both a TTP and a CA service would need to be licensed for both. The proposal to legislate so that an electronic signature backed by a certificate from a licensed CA would have an enhanced legal status relative to a signature without such backing would provide an incentive for CAs to seek to be licensed. There was no similar incentive for TTPs to be licensed, particularly as the 27 April 1998 statement insisted that TTPs would need to allow for key escrow.[70] The "all or nothing" approach to licensing insisted that those organisations seeking to enter both markets would either have to accept key escrow or risk losing out in the market for certification of electronic signatures. A further proposal was that OFTEL would be the licensing authority for encryption services.[71]

31. DTI's detailed consultation paper, the successor to the March 1997 paper, was due to be launched at a conference on 19 October 1998.[72] The consultation paper, prepared by DTI and the Home Office, "Building Confidence in Electronic Commerce" finally appeared five months later, on 5 March 1999.[73] It confirmed that legislation would establish a voluntary licensing regime for cryptographic services, but drew back from the "all or nothing" approach previously suggested.[74] Legislation would also ensure that "any electronic signature...is capable of being given legal effect" but that those signatures backed by a certificate from a licensed CA would "automatically...be regarded as legally equivalent to a hand-written signature".[75] DTI remains committed to "encouraging the deployment of key escrow and key recovery technologies" but "the Government has decided to consult on the basis that neither key escrow nor third party key recovery will be requirements of having a licence for confidentiality services".[76] Law enforcement concerns about the abuse of encryption would be assuaged by a "power to require any person, upon service of a written notice, to produce specified material in a comprehensible form or to disclose relevant material necessary for that purpose".[77] The Government recognised that this would not satisfy the interception needs of law enforcement agencies and asked for ideas from industry to solve this problem.[78] There were also sections requesting views on the legal recognition of electronic writing,[79] implementing the UNCITRAL Model Law on Electronic Commerce,[80] taking action against "spamming",[81] the role of on-line intermediaries,[82] and the proposed licensing criteria.[83]

Conclusions

32. If the forthcoming Electronic Commerce Bill receives Royal Assent by April 2000, as the Government intends, then it will have taken almost four years for legislation to reach the statute book from DTI's first public recognition that legislation was due.[84] Three factors at least partially explain this delay:

the change of Government in 1997 inevitably delayed the development of policy on cryptographic services, both because of its low political priority and because, in opposition, the Labour Party had expressed its disapproval of the proposed mandatory licensing of TTPs[85]
as the responses to both the DTI's consultation exercises, and the evidence we have taken, has shown, there has been widespread opposition to both the principles and details of the Government's policy, particularly with respect to key escrow
an international consensus in favour of national key escrow policies has not emerged. Those countries which were previously supportive of key escrow, particularly France and the US, have recently changed direction.

33. The experience of those governments which took early initiatives relating to cryptography has not been an entirely happy one. US key escrow initiatives have been abandoned and some State electronic signature laws, for instance the Utah Digital Signature Act 1995, have been described as too restrictive to encourage the development of electronic commerce.[86] The Belgian Government was forced in 1997 to amend a 1994 law which had the unintentional effect of prohibiting the use of encryption which did not provide for key escrow.[87] The European Commission has expressed concern at the "very divergent legal and technical approaches" to electronic signatures by Member States' governments, particularly following early legislation in Germany and Italy.[88]

34. Notwithstanding legitimate reasons for delay, we are concerned at the time it has taken the present Government to establish and implement a cryptography policy. It took almost one year for the Government to outline its cryptography policy and a further ten months to publish some details. The Minister emphasised that "it is a very fast-moving world...technology is changing all the time", but the rate at which DTI has moved in this area has been glacial.[89] British industry made its almost unanimous view of key escrow clear in mid-1997, but the Government only confirmed, in a rather half-hearted way, that key escrow no longer featured on its agenda in March 1999. We have some sympathy with Dr. Anderson's view that "when DTI comes forward with a proposal about key escrow and we have said 'that will never work because of x, y and z' this gets taken away and then a few months later the same proposal comes back again".[90] Although DTI officials have engaged in a continuous dialogue with industry and other interested parties on cryptographic issues, the clear message from industry has not been acted upon quickly enough. Whereas some governments chose not to legislate early on cryptography in order to monitor how the issues developed, the UK Government has adopted this position by default. The Institute for the Management of Information Systems has warned that the failure of UK law to keep pace with the growth of electronic commerce is now a "severe barrier" to UK competitiveness.[91] It is our perception that inadequate political control has been exercised over the development and determination of cryptography policy. The policy agenda has been allowed to drift for too long. It is imperative that Ministers take a firm grip of the issues from now on.

35. The Minister told that us, with regard to cryptography, "there are complex, difficult issues that need to be resolved...we want the freest possible environment for electronic commerce, and on the other hand there clearly are law enforcement issues at stake".[92] While this is true of encryption policy, it is less true of policy in relation to electronic signatures, CAs and issues relating to the definition of words such as "writing" and "document" in law. These issues are logically distinct from encryption and are of vital importance to the take-up of electronic commerce by SMEs and consumers in particular. Several respondents to DTI called for law enforcement issues to be removed from the forthcoming Electronic Commerce Bill, pending further consultation.[93] ICL told DTI that it considered that "the Government's aims...for a Secure Electronic Commerce Bill are too extensive and the timetable too restrictive...blind adherence to artificially imposed deadlines will end up doing more harm than good".[94]

36. The inclusion of law enforcement provisions in a bill intended to establish the legal effect of electronic signatures results from the Government's previous commitment to key escrow, whether introduced through a mandatory or voluntary licensing scheme. The DTI originally intended to legislate in order to control the use of cryptography in the UK, by means of key escrow. That intention would now appear to have changed, particularly given the emphasis placed by the previous Secretary of State on the need to encourage electronic commerce.[95] We believe it is essential that every measure included in the forthcoming Electronic Commerce Bill is designed to facilitate rather than restrict electronic commerce and that this should be the criterion by which Parliament judges the Bill.

37. The consultation document published on 5 March 1999 requested responses by 1 April 1999. The Cabinet Office guidelines on written consultation exercises stipulate eight weeks as the minimum period for consultation. Many respondents to DTI complained about the brevity of the consultation period.[96] The Government cited the constraint imposed by the parliamentary timetable as reason for contravening the guidelines.[97] We find this a specious justification, given that the parliamentary timetable is largely controlled by the Government. If the consultation document had appeared in October, as promised, or in the months thereafter, then a more substantial period for consultation could have been allowed. There are no signs that the additional five months were used to improve the accuracy and clarity of the consultation document nor to make technical changes to, for example, the proposed licensing criteria.[98] While, we accept the Government's judgement that legislation should not be delayed still further solely to allow for a standard consultation period, especially as the issues on which DTI sought views were so familiar to likely respondents, the time constraints cited by DTI have been entirely of their own making.

61 HC Deb, 6 Mar 96, c229w; see also 25 Mar 96, c411w Back

62 HC Deb, 10 Jun 96, cc13-14w; the paper can be found on the internet at www.dti.gov.uk/cii/encrypt/ Back

63 Paper on Regulatory Intent Concerning Use of Encryption on Public Networks, DTI, Jun 96, paragraph 16 Back

64 The Licensing of Trusted Third Parties for the Provision of Encryption Services, DTI, URN97/669, Mar 97 (hereafter Consultation 97) Back

65 The terminology associated with encryption services is confused. DTI's latest definitions can be found in Consultation 99, p4 footnotes 3 and 4, p17 Back

66 DTI Press Notice 98/320; the Summary of Responses is dated 3 Feb 98 Back

67 Summary of Responses, DTI, Apr 98, paragraph 1 Back

68 Ibid, paragraph 13 Back

69 DTI Press Notice 98/320 and the Secure Electronic Commerce Statement; for Our Information Age see footnote 1 Back

70 Secure Electronic Commerce Statement, paragraph 12 Back

71 Ev, p135 paragraph 3 Back

72 Information Technology and Public Policy, Vol. 17 No. 1 Winter 1998, pp24-5 Back