 |
About Me | |
|
|
Background | |
|
|
Policy Analysis | |
|
|
Organisations | |
|
|
Cryptography | |
|
|
Technology | |
|
|
Cryptography | |
|
|
Computing | |
|
|
Mathematics | |
|
|
Papers | |
This web page is a response to the SECURE ELECTRONIC COMMERCE STATEMENT issued by the Department of Trade and Industry on April 27th 1997. The text below consists of the original text with comments added in italics.
In terms of principles and aspirations there is much to be welcomed in the policy but it is lacking in specifics and where details are provided they seem to fall well short of the objectives and aspirations that have been set.
Viewed in the context of the pre-election stance of the Labour Party, this policy statement is a considerable disappointment. In particular it lacks any serious commitment to the removal of controls on cryptography and seeks to introduce measures that are closer in spirit to those announced by the last government than they are to the principles established by the Labour Party prior to its election to power.
Brian Gladman, 28th April 1998
SECURE ELECTRONIC COMMERCE STATEMENT
Introduction
The following statement outlines the measures announced earlier today by the Parliamentary Under Secretary of State at the Department of Trade and Industry, Barbara Roche, in response to a question tabled by Dr Stephen Ladyman MP, concerning the Government�s policy on secure electronic commerce. Along with this Statement the Department is publishing separately a Summary of Responses from a previous consultation exercise undertaken in March 1997 on the "Licensing of Trusted Third Parties for the Provision of Encryption Services".
Electronic Commerce
2. The Government places considerable importance on the successful development of electronic commerce. It will, if successfully promoted, allow us to exploit fully the advantages of the information age for the benefit of the whole community.
Limiting the document to be a statement on �electronic commerce� is rather too narrow since there are many aspects of the information society, including, for example, privacy, that extend well beyond the purely commercial domain.
3. The Government is committed to the successful development and promotion of a framework within which electronic commerce can thrive. Electronic commerce, as indicated below, is crucial to the future growth and prosperity of both the national economy and our businesses. Although the prime economic driver for electronic commerce may currently lie with business-to-business transactions, it is clear that consumers (whether ordering books or arranging pensions) will also directly benefit. The following are some of the activities we are actively pursuing with business to develop the environment to achieve these goals:
(i) Information Age
The Government set out its vision for the UK in "Our Information Age", launched on 16 April. The Prime Minister, in his foreword, highlighted the importance of capitalising on the opportunities of the information age to improve people's quality of life, their education and our wider industrial competitiveness. He noted how information technology was central to these aims and how new developments in communications and computing would be reflected in proposals to help modernise government. The Government's approach is based around five central themes: transforming education, widening access, ensuring competition and competitiveness, fostering quality and modernising Government.
(ii) Information Age Competitiveness Working Party
The Information Age Competitiveness Working Party, one of six groups established as part of the Competitiveness UK Initiative, has considered how companies can exploit fully the new opportunities presented by the information age. The Working Party, made up of senior representatives from a wide range of business sectors, has made a series of practical recommendations which will be considered by the President of the Board of Trade during the development of the White Paper on competitiveness, which is due to be published in the Autumn.
(iii) Legal Framework
Later this year, the Government will be launching a consultation to assess the impact of digital convergence on the legal and regulatory framework. In addition to questions about the effect of convergence of broadcasting and telecommunications, this work will also explore whether there are other aspects of the general framework which may need some adaptation to ensure they are fully suited to dealing transparently with electronic commerce as well as traditional commerce. The Government's intention is to ensure, as far as possible, that the law is technology neutral in its application, providing the same legal environment on-line as off. A first, but important, aspect of this work is the legal recognition of digital contracts and signatures. The proposed legislation outlined below will start to address this.
The objectives of technology neutrality and the provision of a similar legal framework for transactions pursued either on or off-line are important and welcome statements of principle. They provide a useful criteria for assessing the policy details set out below.
(iv) Internet content
As the Internet becomes a mass medium it is only right to ensure that the most vulnerable users are protected. This has meant supporting, and encouraging, such initiatives as the Internet Watch Foundation (IWF) to ensure that the law is applied on-line in the same way as it is off-line. Internationally we are co-operating with both the EU and OECD to tackle this important problem. We thus support the aims of the Action Plan on Harmful and Illegal Content on the Internet, which is currently being discussed in a European Council working group.
(v) Benchmarking
A new international benchmarking study to be published by the DTI next month shows that the UK is ahead of Germany and France on many measures of uptake and use of networked technologies, the tools for electronic commerce. For example, 49% of UK companies have Internet access (compared to 44% in Germany and 24% in France), and 37% of UK companies have websites (30% in Germany and 14% in France).
(vi) Support Centres
Local Support Centres (LSCs), based on Business Links and their equivalent in Scotland and Northern Ireland, are key to local delivery of the Programme for Business. These centres provide easily accessible and impartial local advice, to encourage SMEs to reap the benefits of the information age. Over 16,000 companies have now visited LSCs, and have received advice or training on how to use information and communication technologies such as e-mail and the Internet, which are key to the development of electronic commerce. 60 sites are now open, with the aim of 80 operational sites by the end of 1998.
Security and Trust
4. To achieve our goals, however, electronic commerce, and the electronic networks on which it relies, have to be secure and trusted. Whether it be the entrepreneur E-mailing his sales information to a potential supplier or the citizen receiving private electronic advice from their doctor; the communications need to be secure. In a recent DTI survey 69% of UK companies cited security as a major inhibitor to purchasing across the Internet. Good information security, therefore, is a vital ingredient which all IT producers and users should pay heed to. The DTI, which has a dedicated unit involved in giving advice to business on this important business issue, is thus introducing an Accreditation Scheme to assess businesses� compliance to BS 7799, the national standard on information security. The Scheme, being launched on 28 April at Infosec 98, will allow businesses the opportunity to have their implementation of information security professionally certified; giving their trading partners and customers greater confidence and trust. The Department is also chairing an industry working party to review and update the Standard with the aim of making it a global benchmark for all those organisations which take information security seriously.
Although accreditation schemes can be important, experience suggests that they are a poor substitute for a strong competitive market in sorting out quality and assurance issues. Extensive accreditation requirements typically need large investments in order to meet their provisions and this will often have a highly negative impact on the pace of market development, especially in an immature market. In consequence great care will be needed if such measures are to promote quality without undermining the very market forces through which true improvements in quality will be achieved.
5. In addition to best practice, however, our businesses also need access to appropriate technical solutions to protect the information they send across public networks. And perhaps the most important tool is Cryptography; the use of digital signatures and encryption. Whether we are concerned with the integrity of information (ensuring its content has not been altered) or its confidentiality (keeping it secret), the appropriate use of cryptography can be of major benefit to all IT users.
Cryptography
6. There are, however, a number of different characteristics of cryptography, which make it a complex issue. These range from its benefit to electronic commerce and privacy, as noted above, to the concerns strong encryption raises for law enforcement. Thus cryptography policy must take account of the needs of the user (whether an individual or a business), the government and the international community. For the former, issues of trust and confidence are paramount. Whether the requirement is for the integrity of data (vital in many forms of electronic commerce) or its confidentiality (important for business and the citizen) the cryptography mechanism needs to be robust and reliable. Encryption keys protecting the information must be strong enough to deter industrial espionage and hacking. For the Government there are also good reasons why cryptographic services should be robust; they help to protect economic and intellectual assets and enable new services to be delivered to the public (such as electronic tax returns); as well as reducing IT fraud and hacking.
Encryption keys protecting the information must be strong enough to deter industrial espionage and hacking � and to protect the privacy of citizens. This omission is, hopefully, an oversight.
7. The measures the Government plan to introduce take account of these differing aspects of cryptography and also the responses to the consultation process on the licensing of Trusted Third Parties initiated by the previous Administration. In respect of the latter, the Government has responded to business concerns and criticisms of the previous "mandatory" approach to licensing. Thus, as will be explained below, the new proposals will neither oblige service providers to obtain licences nor to use any particular encryption products or technologies. In addition there is now a clear policy differentiation between digital signatures and encryption; another concern of industry during the consultation process. The Department in conjunction with this Statement is publishing an independent summary of the responses from the consultation exercise.
These changes are very welcome and will do much to overcome the many objections to the previous policy. The voluntary nature of the licensing regime could eliminate many of the practical difficulties that would inevitably undermine any attempt to mandate licensing.
International Aspects
8. In recognising the international nature of electronic commerce the Government has, of course, been concerned that policies on encryption should, where appropriate, be consistent with the emerging international consensus. The measures announced today are, therefore, fully compatible with the OECD Guidelines on Cryptography Policy which were agreed in March last year; and, as far as possible, consistent with the developments taking place in UNCITRAL on electronic signatures.
9. The Government has also been working closely with the European Commission, especially in respect of our current tenure of the EU Presidency, to ensure that our policy development is compatible with that outlined in the Commission�s Communication on Encryption and Electronic Signatures released last October. We look forward to working with the Commission and member States on the proposed Electronic Signature Directive which will, we believe, foster the development of a pan-European framework for cryptography services. In respecting these developments the Government recognises the clear differences in approach that need to be afforded to the development of electronic and digital signature services (for integrity) on the one hand, and to encryption (or confidentiality) services on the other.
Some differences of approach stem from desirable Government objectives whereas others derive from activities that many citizens see as undesirable. It would be helpful if the policy spelt out in more detail the precise differences of approach that the Government has in mind in this paragraph.
10. In our efforts to promote the use of electronic signature and encryption services we are also working with our international colleagues to update and streamline the export controls on encryption products. Such controls, we believe, need to reflect the commercial requirements for robust and trusted encryption products whilst also taking account of national security.
This statement is far too general and lacks detail. It would be much more helpful to know precisely what the Government intentions are here. In particular it is now vital that any cryptography controls that are retained meet the following criteria:
that they are directed to meet specific objectives that are fully and openly stated;
evidence is provided to show that the proposed controls can meet these objectives and will not be undermined by forces not under Government control;
evidence is provided to show that the overall benefits that they offer are truly worthwhile given the total (direct and indirect) costs of their operation.
Any existing controls that do not meet these criteria should be removed and the presumption should be that controls should not exist unless a definitive case can be made for them.
Legislation
11. We therefore intend to introduce legislation to license those bodies providing, or facilitating the provision of cryptography services. Principally these will be Trusted Third Parties (the generic term for bodies that provide one, or a variety of cryptography services to their clients), Certification Authorities (bodies which mainly issue certificates for electronic signatures) and Key Recovery Agents (responsible for facilitating the "recovery" of encrypted data). Such licensing arrangements will be voluntary, as business has requested, although we would hope that organisations providing services to the public will see the benefit of adhering to a high standard, and the public confidence that this will bring. We intend that licensed Certification Authorities � conforming to the procedural and technical standards which such licensing will confer � would be in a position to offer certificates to support electronic signatures reliable enough to be recognised as equivalent to written signatures; an essential ingredient of secure electronic commerce. Licensed Certification Authorities offering secure electronic signature services will, we believe, make a significant contribution to electronic commerce. They will provide trust that the authentication process is reliable (ie an owner of an electronic or digital signature certificate is who they say they are) and consumer and business confidence that the signature mechanism employed is robust and secure.
Since: (i) electronic signatures are only sought with a reliability equivalent to that of written signatures, and (ii) written signatures are self certified for nearly all transactions, there is no reason to seek an extensive third party basis for digital signature certification for most day-to-day electronic transactions. This is especially the case given the earlier stated policy intention to establish broadly similar legal provisions for the conventional and the electronic environments.
For many who offer signatures self certification will be seen as perfectly adequate in most situations and there is a clear precedent in written signatures for their widespread acceptance. No doubt there will be situations where higher assurance is needed but these should be exceptional.
It will be important to ensure that licensed services are truly voluntary and remain so without being mandated by backdoor means. The need to certify a digital signature, and the means for doing so, must be the result of agreements between those who are willing to offer such signatures and those who wish to rely on them.
12. Organisations facilitating encryption services (for example through offering key recovery or providing key management services for confidentiality) will also be encouraged to seek licences. Such bodies can offer sound business benefits to their clients. Increasingly organisations are recognising the necessity of being able to recover critical data, which their staff may have encrypted, or the text of the messages they have sent to clients. In such circumstances the permanent loss of an encryption key � perhaps because an employee has left - could be very damaging. Licensed service providers that provide encryption services will, therefore, be required to make recovery of keys (or other information protecting the secrecy of the information) possible through suitable storage arrangements.
The last sentence here is worrying and looks suspiciously like a remnant of the old policy. The previous sentences suggest that this is mandatory to protect the users of these services but there will be some types of encryption keys where their loss is of no concern and where keeping backup copies will add security vulnerabilities. The choice of whether encryption keys need to be backed up is application dependent and requires a careful trade-off between the consequences of key loss and the added risks of keeping duplicates. In consequence, mandating key backup or recovery removes important security choices for users and leads to a suspicion of ulterior motives for the presence of such specific provisions.
Given the intent to provide law enforcement access to keys via warrants (see later), it is also important to understand whether such warrants can only be served on key owners or whether they can be served on encryption service providers without reference to the owner(s) concerned.
Another issue here is that of the certification of confidentiality keys. Such certification does not require access by the certification agent to the private key components and yet it appears that licensed services will be required to seek and obtain such access in order to certify a key for confidentiality use.
Such a provision, if intended, will undermine trust in licensed services since these provisions would be precisely those that made the previous policy proposals widely unpopular. Urgent clarification is needed here in order to discover whether this interpretation of the proposals is correct.
13. In developing its policy on encryption, the Government has given serious consideration to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Encryption might be used to prevent law enforcement agencies from understanding electronic data seized as the result of a search warrant or communications intercepted under a warrant issued by a Secretary of State. This would have particularly serious implications for the fight against serious crime and terrorism. For example, during 1996 and 1997, lawful interception of communications played a part - often the crucial part - in operations by police and HM Customs which led to 1,200 arrests; the seizure of nearly 3 tonnes of Class A drugs, and 112 tonnes of other drugs, with a combined street value of over �600 million; the seizure of over �700 million in cash and property; and the seizure of over 450 firearms. During this period, around 2600 interception warrants were issued by the Home Secretary. (In line with the practice of the Interception Commissioner, this figure relates to all warrants issued by the Home Secretary, not just those for the Police and Customs.)
The evidence in support of the value of lawful communications intercept is helpful but only marginally so since no indication is given of whether the use of encrytion in any of these cases actually prevented the authorities from obtaining the clear text involved. It seems most likely that encrytpion did not frustrate law enforcement access in the vast majority of these cases and, if this is correct, there is no current law enforcement problem that needs to be tackled.
While there may be problem in the future, it would be far better to deal with this if and when it arises since lack of current experience of what the problems really are is certain to lead to poor technological responses and to ineffective or unworkable legislative provisions.
In the UK the general lack of technological knowledge and understanding within the higher levels of the government machine inevitably mean that attempts to anticipate and legislate for perceived future problems involving technology do not often result in sensible policies (remember the attempts at Citizen's Band radio legislation).
14. In response to these concerns, the Government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data (in effect, the encryption key). This does not include cryptographic keys used solely for digital signature purposes. The new powers will apply to those holding such information (whether licensed or not) and to users of encryption products. They will be exercisable only when appropriate authority has been obtained (for example, a judicial warrant for the purpose of a criminal investigation or, in the case of interception of communications, a warrant issued by a Secretary of State) and will be subject to strict controls and safeguards.
There is no explanation here of why the warrant will target the "information necessary to decrypt the content of communications or stored data" rather than being much more simply targeted directly at the information that has been encrypted.
With RSA encryption a criminal or a terrorist uses the encryption key of the message recipient to encrypt data and this means that the recipient�s private key is the one needed for decryption. This being so, it means that a warrant will have to be issued against this key rather than the one owned by the criminal. Hence warrants for decryption keys will have to be issued against entirely innocent parties and this does not seem a very reasonable situation. Such provisions will put all the encrypted data sent to this innocent party at risk, not just the message that is being targeted.
All in all, therefore, it would be much more reasonable to target the warrant at the information that has been encrypted rather than at the encryption keys being used.
15. The purpose of the proposed powers is solely to maintain the effectiveness of existing legislation in response to new technological developments. The powers apply only to information which itself has been, or is being, obtained under lawful authority. The Home Office will bring forward detailed proposals in due course.
Conclusion
16. In concluding, electronic commerce offers tremendous opportunities to us all; but unless we harness those opportunities in policies that are both balanced and internationally compatible then trust and security will be the losers.
27th April 1998
Department of Trade and Industry