8. In March 1999 the DTI proposed the establishment of a voluntary statutory licensing scheme for providers of cryptography services (trusted service providers or TSPs). We acknowledged the need for some sort of accreditation scheme for TSPs, to persuade potential users of electronic commerce that it was as safe and reliable as traditional forms of commerce, but questioned whether such a scheme needed to be statutory. We recommended that the Government take powers to establish a statutorily-backed scheme but hold them in reserve unused unless and until it was demonstrated that a voluntary scheme had failed to protect the interests of all consumers and service providers.[14]

9. The Government has accepted our recommendation that a statutory accreditation scheme for TSPs should be implemented only if self-regulation by the industry is seen to fail.[15] In its reply to our previous Report DTI set out the characteristics which an industry-led scheme must display in order for it to be accepted as a suitable alternative to a statutory scheme, including that it should be "demonstrably rigorous, impartial and trusted by all sectors of industry", that it should not act as a barrier to new entrants to the market and that it should have a means of taking into account the views of consumers.[16] The Government hopes that a scheme meeting these criteria will be established by the Alliance for Electronic Business by the end of 2000.[17] If such an accreditation scheme is not set up then the Government has proposed to consult on the introduction of the statutory scheme, the proposals for which are in line with the March 1999 consultation paper.[18] DTI has said that it will report on progress made in establishing an industry-led scheme during passage of the Bill. Although most respondents to the draft Bill were satisfied with the Government's intention to leave the regulation of TSPs to industry, there were calls for part I of the draft Bill to be dropped altogether and for the legislation to set out the broad objectives rather than the details of a statutory accreditation regime.[19] We recommend that DTI and the Alliance for Electronic Business formulate and publish a timetable for the establishment of the industry-led accreditation scheme in time for second reading, so that Parliament can assess the likelihood of the statutory scheme being implemented.

Fees

  10. Irrespective of the basis on which an accreditation scheme is established, TSPs will be required to pay a fee for accreditation. DTI told us that the industry-led scheme is to be "run on a non-profit making basis", perhaps along similar lines to the Internet Corporation for Assigned Names and Numbers (ICANN), the body which allocates internet domain names, and that the fees charged under a statutory regime "would be set to cover the cost of determining whether an applicant met the required standard and ongoing costs".[20] In its draft regulatory impact assessment DTI explained the difficulties of estimating the scale of the fees that TSPs were likely to be charged, particularly because the standards which firms would be required to meet for accreditation have not yet been established.[21] Nevertheless, draft criteria for accreditation do exist and are likely to be similar whether the scheme is industry-led or statutory.[22] DTI has promised to provide further information on costs during the passage of the Bill.[23] We recommend that the Government give an early indication of the fees likely to be charged to TSPs under both the industry-led and statutory schemes.

11. Accreditation, whether by an industry-led or statutory scheme, will be vital for many TSPs which lack the brand name and reputation of organisations such as the Post Office and British Telecommunications, both of which have already launched TSP ventures.[24] It is important that such TSPs, particularly those which are small and medium sized enterprises, are not deterred from seeking accreditation by the level of fees charged. Even if fees are set at a level commensurate with the costs of accreditation, they might still bear disproportionately on small firms. We recommend that the Government consider the case for a sliding scale of fees to be set for accreditation, whether by an industry-led or statutory scheme, to help overcome any barriers to entry to the market.

Key Escrow

  12. Much of the debate about cryptography policy has focused on the possibility that the Government might mandate or encourage key escrow, whereby users of encryption deposit their private encryption keys with a TSP, or related technologies.[25] We welcomed the Government's announcement in March 1999 that it was no longer proposing that TSPs would need to provide key escrow or key recovery in order to be accredited, but we cautioned that the draft accreditation criteria proposed by DTI still seemed based on the previous key escrow policy and expressed disappointment that the Government remained keen to promote key escrow and key recovery technologies.[26] In reply to our Report the Government said they accepted that "the widespread adoption of key escrow and key recovery is unlikely in the current climate" and that "a mandatory link between approved providers of services and key escrow would not support the Government's twin objectives on e-commerce and law enforcement".[27]

13. We are concerned that the Government has yet to rid itself of its previous attachment to key escrow and related technologies. Rather than rule out key escrow because of the wide range of criticisms made about it by industry, civil liberties campaigners, computer experts and others, the Government has simply admitted that its widespread adoption is unlikely at present. We recommended that powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements in future, for instance by an addition to the accreditation criteria for TSPs if a statutory regime were in force, but the Government chose not to answer this point. We are also concerned that although a mandatory link between approved TSPs and key escrow has been ruled out, the Government might encourage a voluntary link instead.[28] The Government is likely to make use of TSPs in its electronic communications with firms and individuals and might seek not only to deal with accredited TSPs but with TSPs which offered key escrow or related services as well. A recent report by the Performance and Innovation Unit of the Cabinet Office suggested it was likely that the authentication and encryption standard adopted by the Government would "become the de facto UK standard".[29] By working only with those TSPs which can provide key escrow or related services, the Government could encourage the widespread use of such services throughout the UK.

14. Following on from the Government's welcome announcement that key escrow would not be proposed as an accreditation criterion for TSPs under a statutory regime, but in the light of the concerns we have outlined above, we recommend that:

• the legislation should explicitly exclude the use of key escrow as a criterion for accreditation under a statutory regime
• key escrow, key recovery or related measures should not be accreditation criteria under an industry-led regime
• if it were decided to seek to introduce key escrow, key recovery or related measures in future then the accreditation scheme should be placed on a statutory basis, if it were not already so, and there should be provision for a full public consultation exercise and parliamentary decision on the issue
• an unequivocal commitment be made that key escrow, key recovery or related measures will not be introduced through the back door as a result of the Government's participation in electronic commerce.

15   The Government has described the proposed reserve statutory regime as an "approvals" scheme. We have continued to use the words accredited and accreditation instead of approved and approvals throughout this Report Back

16   Cm4417, p9 paragraph 28; responses to Government from Berwin Leighton p3 and Cable and Wireless Communications p3 questioned whether the criteria were sufficiently clear Back

17  Ev, p2, part I, Q3; the Alliance for Electronic Business comprises the Confederation of British Industry, the Computing Services and Software Association, the Direct Marketing Association, the Federation of the Electronics Industry and e centre^UK Back

18   Cm4417, p8 paragraph 25; Building Confidence in Electronic Commerce, DTI, Mar 99, URN99/642,

paragraph 40; and see paragraph 51 Back

19   Responses to Government from European Informatics (EURIM) p2, Interforum p2, the Law Society p2, the Foundation for Information Policy Research p2 and John Brazier p3 called for part I to be dropped; the response from ICL p3 argued that the details of a statutory scheme should not be included in legislation; the response from the British Computer Society p2 called for the scope of activity of TSPs to be more tightly prescribed; Thus Ltd pp1-2 questioned the value of part I Back

20   Ev, p2, part I, Q1 Back

21   Draft Electronic Communications Bill: Draft Regulatory Impact Assessment, DTI, Jul 99, URN99/1020, pp5-7 Back

22   See Cm4417, p9 paragraph 29 Back

23   Ev, p2, part I, Q1; the response to Government from British Telecommunications (paragraph 3) called for more information on the fees proposed in part I of the draft Bill Back

24   E-commerce@its.best.uk, Performance and Innovation Unit, Cabinet Office, Sep 99 (hereafter PIU Report) paragraph 10.23 Back

25   HC187 paragraphs 16-17, 83-90 Back

26   HC187 paragraphs 71, 73, 89-90 Back

27   Cm4417, p11 paragraph 36 Back

28   See paragraph 52 for concerns that key escrow could be introduced through orders made under clause 5 of the draft Bill, despite the Government's commitment not to make key escrow a condition of accreditation under a statutory scheme; and also the response to Government from the National Criminal Intelligence Service supporting a statutory accreditation scheme because "the powers in part III of the Bill will have limited effect if the only person to have a decryption key is the criminal him- or herself" Back

29   PIU Report, paragraph 10.25 Back