SECURE ELECTRONIC COMMERCE STATEMENT
The following statement outlines the measures announced earlier today by the Parliamentary Under Secretary of State at the Department of Trade and Industry, Barbara Roche, in response to a question tabled by Dr Stephen Ladyman MP, concerning the Government's policy on secure electronic commerce. Along with this Statement the Department is publishing separately a Summary of Responses from a previous consultation exercise undertaken in March 1997 on the "Licensing of Trusted Third Parties for the Provision of Encryption Services".
2. The Government places considerable importance on the successful development of electronic commerce. It will, if successfully promoted, allow us to exploit fully the advantages of the information age for the benefit of the whole community.
3. The Government is committed to the successful development and promotion of a framework within which electronic commerce can thrive. Electronic commerce, as indicated below, is crucial to the future growth and prosperity of both the national economy and our businesses. Although the prime economic driver for electronic commerce may currently lie with business-to-business transactions, it is clear that consumers (whether ordering books or arranging pensions) will also directly benefit. The following are some of the activities we are actively pursuing with business to develop the environment to achieve these goals:
(i) Information Age
Security and Trust
4. To achieve our goals, however, electronic commerce, and the electronic networks on which it relies, have to be secure and trusted. Whether it be the entrepreneur E-mailing his sales information to a potential supplier or the citizen receiving private electronic advice from their doctor; the communications need to be secure. In a recent DTI survey 69% of UK companies cited security as a major inhibitor to purchasing across the Internet. Good information security, therefore, is a vital ingredient which all IT producers and users should pay heed to. The DTI, which has a dedicated unit involved in giving advice to business on this important business issue, is thus introducing an Accreditation Scheme to assess businesses' compliance to BS 7799, the national standard on information security. The Scheme, being launched on 28 April at Infosec 98, will allow businesses the opportunity to have their implementation of information security professionally certified; giving their trading partners and customers greater confidence and trust. The Department is also chairing an industry working party to review and update the Standard with the aim of making it a global benchmark for all those organisations which take information security seriously.
5. In addition to best practice, however, our businesses also need access to appropriate technical solutions to protect the information they send across public networks. And perhaps the most important tool is Cryptography; the use of digital signatures and encryption. Whether we are concerned with the integrity of information (ensuring its content has not been altered) or its confidentiality (keeping it secret), the appropriate use of cryptography can be of major benefit to all IT users.
6. There are, however, a number of different characteristics of cryptography, which make it a complex issue. These range from its benefit to electronic commerce and privacy, as noted above, to the concerns strong encryption raises for law enforcement. Thus cryptography policy must take account of the needs of the user (whether an individual or a business), the government and the international community. For the former, issues of trust and confidence are paramount. Whether the requirement is for the integrity of data (vital in many forms of electronic commerce) or its confidentiality (important for business and the citizen) the cryptography mechanism needs to be robust and reliable. Encryption keys protecting the information must be strong enough to deter industrial espionage and hacking. For the Government there are also good reasons why cryptographic services should be robust; they help to protect economic and intellectual assets and enable new services to be delivered to the public (such as electronic tax returns); as well as reducing IT fraud and hacking.
7. The measures the Government plan to introduce take account of these differing aspects of cryptography and also the responses to the consultation process on the licensing of Trusted Third Parties initiated by the previous Administration. In respect of the latter, the Government has responded to business concerns and criticisms of the previous "mandatory" approach to licensing. Thus, as will be explained below, the new proposals will neither oblige service providers to obtain licences nor to use any particular encryption products or technologies. In addition there is now a clear policy differentiation between digital signatures and encryption; another concern of industry during the consultation process. The Department in conjunction with this Statement is publishing an independent summary of the responses from the consultation exercise.
8. In recognising the international nature of electronic commerce the Government has, of course, been concerned that policies on encryption should, where appropriate, be consistent with the emerging international consensus. The measures announced today are, therefore, fully compatible with the OECD Guidelines on Cryptography Policy which were agreed in March last year; and, as far as possible, consistent with the developments taking place in UNCITRAL on electronic signatures.
9. The Government has also been working closely with the European Commission, especially in respect of our current tenure of the EU Presidency, to ensure that our policy development is compatible with that outlined in the Commission's Communication on Encryption and Electronic Signatures released last October. We look forward to working with the Commission and member States on the proposed Electronic Signature Directive which will, we believe, foster the development of a pan-European framework for cryptography services. In respecting these developments the Government recognises the clear differences in approach that need to be afforded to the development of electronic and digital signature services (for integrity) on the one hand, and to encryption (or confidentiality) services on the other.
10. In our efforts to promote the use of electronic signature and encryption services we are also working with our international colleagues to update and streamline the export controls on encryption products. Such controls, we believe, need to reflect the commercial requirements for robust and trusted encryption products whilst also taking account of national security.
11. We therefore intend to introduce legislation to license those bodies providing, or facilitating the provision of cryptography services. Principally these will be Trusted Third Parties (the generic term for bodies that provide one, or a variety of cryptography services to their clients), Certification Authorities (bodies which mainly issue certificates for electronic signatures) and Key Recovery Agents (responsible for facilitating the "recovery" of encrypted data). Such licensing arrangements will be voluntary, as business has requested, although we would hope that organisations providing services to the public will see the benefit of adhering to a high standard, and the public confidence that this will bring. We intend that licensed Certification Authorities ñ conforming to the procedural and technical standards which such licensing will confer ñ would be in a position to offer certificates to support electronic signatures reliable enough to be recognised as equivalent to written signatures; an essential ingredient of secure electronic commerce. Licensed Certification Authorities offering secure electronic signature services will, we believe, make a significant contribution to electronic commerce. They will provide trust that the authentication process is reliable (ie an owner of an electronic or digital signature certificate is who they say they are) and consumer and business confidence that the signature mechanism employed is robust and secure.
12. Organisations facilitating encryption services (for example through offering key recovery or providing key management services for confidentiality) will also be encouraged to seek licences. Such bodies can offer sound business benefits to their clients. Increasingly organisations are recognising the necessity of being able to recover critical data, which their staff may have encrypted, or the text of the messages they have sent to clients. In such circumstances the permanent loss of an encryption key ñ perhaps because an employee has left - could be very damaging. Licensed service providers that provide encryption services will, therefore, be required to make recovery of keys (or other information protecting the secrecy of the information) possible through suitable storage arrangements.
13. In developing its policy on encryption, the Government has given serious consideration to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Encryption might be used to prevent law enforcement agencies from understanding electronic data seized as the result of a search warrant or communications intercepted under a warrant issued by a Secretary of State. This would have particularly serious implications for the fight against serious crime and terrorism. For example, during 1996 and 1997, lawful interception of communications played a part - often the crucial part - in operations by police and HM Customs which led to 1,200 arrests; the seizure of nearly 3 tonnes of Class A drugs, and 112 tonnes of other drugs, with a combined street value of over £600 million; the seizure of over £700 million in cash and property; and the seizure of over 450 firearms. During this period, around 2600 interception warrants were issued by the Home Secretary. (In line with the practice of the Interception Commissioner, this figure relates to all warrants issued by the Home Secretary, not just those for the Police and Customs.)
14. In response to these concerns, the Government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data (in effect, the encryption key). This does not include cryptographic keys used solely for digital signature purposes. The new powers will apply to those holding such information (whether licensed or not) and to users of encryption products. They will be exercisable only when appropriate authority has been obtained (for example, a judicial warrant for the purpose of a criminal investigation or, in the case of interception of communications, a warrant issued by a Secretary of State) and will be subject to strict controls and safeguards.
15. The purpose of the proposed powers is solely to maintain the effectiveness of existing legislation in response to new technological developments. The powers apply only to information which itself has been, or is being, obtained under lawful authority. The Home Office will bring forward detailed proposals in due course.
16. In concluding, electronic commerce offers tremendous opportunities to us all; but unless we harness those opportunities in policies that are both balanced and internationally compatible then trust and security will be the losers.
27th April 1998 Department of Trade and Industry