74. TSPs must be able to guarantee to their customers, and others, that:

• the certificates they issue contain true and accurate information
• that private signature keys, if generated or stored, are well managed, in order to avoid customers' digital signatures being forged
• that private encryption keys are similarly well managed, in order to prevent customers' confidential communications being compromised.

Clear liability rules are required to govern situations in which things go wrong, so that confidence in TSPs is maintained and to encourage market entrants.[232] Such rules could be set out in contracts between TSPs and their customers and there might be a role for legislation to govern the content of such contracts.

75. The Government has indicated that it is minded to enshrine some liability rules in law, particularly because the EU Electronic Signatures Directive proposes that licensed CAs be liable for the accuracy of information in the certificates they issue, both to users and, crucially, third parties.[233] The specific questions posed by DTI in its recent consultation document include:[234]

• should TSPs accept a minimum level of liability, which could not be varied by contract?
• should licensed TSPs accept a different minimum level of liability to unlicensed TSPs?
• should the liability of TSPs (particularly those which are licensed) be limited?
• should a specific duty of care be imposed on holders of private signature keys?
•  should there be specific requirements to state the liability regime in contracts and on certificates, particularly to assist third parties?

76. Most respondents to DTI tended to emphasise that the rules covering the liability of TSPs to their customers should be left to the market place, rather than written into law, at least for the time being.[235] The Institute for the Management of Information Systems, for instance, stated that liability rules should be the same on-line as off-line; Singletons emphasised that existing laws dealing with liability issues, such as the Unfair Contract Terms Act 1977, apply to electronic commerce.[236] Microsoft told DTI that if legislation dealing with liability was to be introduced, rules should be subject to modification by contract. There was little support for the notion that liability rules should depend on the licensing status of TSPs.[237] APACS told DTI that "taking responsibility in business cannot be voluntary".[238]

77. The proposed minimum level of liability was regarded as particularly restrictive by some.[239] A number of respondents argued that there could be a market for certificates bearing zero liability, which might be prohibited by this proposal.[240] Dr. Roe of Cambridge University argued that zero liability certificates might be of benefit to home computer users who choose not to make their machines secure but who would still wish to make use of electronic signatures.[241] Other respondents supported the suggestion that a minimum level of liability be set — British Steel recommended that "the minimum level of liability for service providers be set at £50,000 for each incident".[242] Some respondents also took issue with the need for the proposed statutory limit on liability.[243] Support for a statutory limit on liability was expressed by Admiral Computing and the Association of Unit Trusts and Investment Funds, which suggested a limit commensurate with the £48,000 limit on compensation from the Investors' Compensation Scheme.[244] Dr. Roe made the case for certificates which place limitations on the size and nature of the transactions they can be used for, akin to the limit on a cheque guarantee card, and emphasised the need for legislation to acknowledge such a possibility.[245] A number of respondents linked the proposed limit on liability with insurance provision, including suggestions that adequate capital reserves or insurance be a licensing criterion.[246]

78. A crucial issue is the liability of CAs to third parties, for the accuracy and veracity of information stated on the certificates they issue. APACS told DTI that an area of great concern was the "marked absence of any meaningful and enforceable liability on the certificate issuer in relation to the relying party...this area in particular should be explicitly addressed by legislation".[247] This issue is related to the question of the "duty of care" suggested to be placed on key holders by the Government. PriceWaterhouseCoopers warned of the adverse effects on third parties if a key was not held securely by the user of a CAs' service.[248] Many respondents supported the concept of a specific duty of care placed on key holders, although it was debated whether the desired results were best achieved by statutory obligation or by contractual agreement.[249] There were also calls for a duty of care to be placed on TSPs in relation to any private keys they may handle.[250]

79. If consumers are to have confidence in electronic commerce, the liability rules covering TSPs must be clear, simple, fair and well-known.[251] We recommend that the Government exercise caution before implementing a statutory liability regime in this nascent market. We suggest that, until the market develops further, the most useful requirement might be for TSPs to set out in full their liability provisions, including relevant limits, both to users and third parties, including how liabilities can be met, to assist consumer choice of TSP and swift redress when problems are encountered.

233   Consultation 99, paragraph 43; Com(98)297 article 6 Back

234   There are also issues concerning the liability of service providers for the content of e-mail messages, newsgroup messages, web sites and so on which they host or carry. Some respondents to the Government argued that these issues should have been dealt with in the recent consultation document (eg Demon Internet and Scottish Power section 6). We will consider these issues in our second Report on electronic commerce (see paragraph 3) Back

235   For example responses to Government from GEC p2, Microsoft section 5, IMIS p6, Real Time Club paragraphs 14-17, Brokat AG section D, Motorola p24, Interforum, p3, LIBA p4, Post Office paragraph 6.1, British Telecommunications paragraph 26, Association of Pharmaceutical Importers section VI, British Computer Society p6, Royal & Sun Alliance p2, SAP(UK)Ltd paragraph 3.4.1, Neil Hare-Brown, Cooperative Insurance Society paragraph 25, Law Society section III.2, Masons paragraphs 19-23, Marconi p3, Cable & Wireless pp4-5, Alliance for Electronic Business paragraphs 3.11-3.13, IBN Ltd p5, Berwin Leighton p5, ABI paragraph 3.10, Centre for Computing and Social Responsibility de Montfort University (de Montfort) p8, Corporation of London p3, American Express p2 Back

236   Responses to Government from IMIS p6, Singletons p3 Back

237   Responses to Government from Microsoft section 5, Association of Unit Trusts and Investment Funds section 3, Baltimore paragraph 3.4.5, APACS section 9, NatWest p3, Vodafone paragraph 23, Energis section 3, Computing newspaper p4, Reuters p3; the British Computer Society p6 expressed a different view Back

238   Response to Government from APACS section 9 Back

239   Responses to Government from P. Johnson p4, IMIS p6, Brokat AG section D, Cable & Wireless p6, Demon Internet/Scottish Power section 5; CommerceNet UK p12 argued that the Government should take powers to set a minimum level of liability but hold them in reserve; Pinsent Curtis p2 supported a minimum level Back

240   Responses to Government from Steptoe and Johnson LLP first submission and second submission pp4-5 (the firm suggested that DTI's proposals would contravene the EU Electronic Signatures Directive), Alliance for Electronic Business paragraph 3.12.2 Back

241   Response to Government from Dr. M. Roe section 4 Back

242   Response to Government from British Steel p2 Back

243   Responses to Government from Singletons p3, APACS p9 (although they suggested a limit on liability for consequential losses), Reuters p3, Eversheds p1; the British Computer Society p7 argued that there should be no limit on TTPs' liability Back

244   Responses to Government from Admiral Computing p2, Association of Unit Trusts and Investment Funds p2; also IBM p2, Consumers' Association p4, Vodafone paragraph 24, Computing newspaper p4, Alliance and Leicester p3 Back

245   Response to Government from Dr. M. Roe section 4; and see response from Berwin Leighton p5, Cable & Wireless p6, Marconi p3 Back

246   Ev, p253 paragraph 3.1, p288; responses to Government from British Steel p2, British Chambers of Commerce p3, Real Time Club paragraph 16, British Computer Society p6, ABY paragraph 2.10, Protek p2, Amazon.co.uk p4, MacRoberts (who suggested a minimum level of insurance cover of £50 million) p25, Computer Weekly p2; but see comments by IUA p3 Back

247   Response to Government from APACS, p9; and see from BBA p3 Back

248   Response to Government from PriceWaterhouseCoopers p7 Back

249   For instance see the responses to Government from IMIS p6, Barclays p6, Motorola p26, APACS p10, Lloyds p2, BBA p3, Phillip Hallam-Baker p2, CommerceNet UK p11, ABI paragraph 3.11, Computing newspaper p5, British Telecommunications paragraphs 27-28, British Computer Society p6, NatWest p4, Vodafone paragraph 24, Cable & Wireless pp5, 8, Alliance for Electronic Business paragraph 3.14, Demon Internet/Scottish Power section 6, Reuters p3, Law Society section III.2, MacRoberts p26, Consumer Communications for England paragraph 12, Real Time Club paragraph 17, de Montfort p8 Back

250   Responses to Government from IMIS p6, UKERNA p2, de Montfort p8, IBN Ltd p5, Energis section 3, Hewlett Packard (main submission) p9, Protek p2; British Telecommunications paragraph 29 and British Computer Society p6 opposed TSPs being held strictly liable for private keys handed over to law enforcement agencies; see also Ev, p159 annex 1 paragraph 3.3 Back

251   See response to Government from Consumer Communications for England paragraph 5 Back