CBI's Response (Summary)
to the DTI Consultation Paper
Licensing of Trusted Third Parties for the Provision of Encryption Services
This Comment was published on 9 July 1997.
Citation: CBI, 'Response to the DTI Consultation Paper, Comment, 1997 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/Consult/ukcryp/cbi.htm>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/cbi/>
The CBI welcomes this draft proposal for legislation to underpin trust in the emerging electronic world. However, the CBI has serious concerns as to the practicality of the current proposals and their impact on the ability of UK industry to take advantage of emerging opportunities. We believe that further consultation is needed before draft legislation can be drawn up.
This response is in three parts:
The first part provides general comments on the proposals contained in the Consultation Paper, and gives suggestions on a way forward.
The second part gives answers to the specific questions raised in the Consultation Paper.
The third part consists of two Annexes - one giving detailed comments, paragraph by paragraph, on the Consultation Paper, and the other providing some scenarios that illustrate how these proposals could affect industry.
Part 1 - General Comments
1. Appropriateness of Proposals
1.1 The CBI has actively supported the Government's Information Society Initiative. We welcome any initiatives that help make the UK a world leader in the new age of electronic commerce. Our response to the announcement of 10 June 1996 on the provision of encryption services on public networks highlighted the opportunities. However that response also raised concerns that unduly restrictive legislation could adversely affect the ability of UK industry to exploit these opportunities and might discourage rapid development of a public key infrastructure in the UK.
1.2 The CBI supports proposals that encourage the use of public key infrastructures in support of electronic commerce by legitimate business while creating trust in such services offered to the general public. The proposals put forward in the Consultation Paper do not recognise the complex trust relationships that already exist in industry, imposing costly licensing of public key infrastructure services onto legitimate business processes to no benefit.
1.3 The CBI has also supported the development of the OECD Guidelines on Cryptography Policy, which have just been published. We recognise that the needs of individuals and industry must be balanced against the needs of law enforcement and national security, and see the OECD Guidelines as providing a framework within which that balance can be struck. The CBI believes that the exclusions proposed do not strike the right balance between the various Principles in that document. The proposed licensing requirements, in the view of the CBI, are not '..no more than are essential to the discharge of government responsibilities..' (Principle 2).
1.4 The CBI believe that the proposals place restrictions on the ability of UK industry to work with partners internationally. They also appear to force international companies doing business with UK companies, or in the UK, to abide by the proposed licence conditions. While this might be acceptable if such licence conditions were widely imposed internationally, their early introduction just in the UK would create a very unbalanced international trade environment. This would act to the detriment of UK industry, and would discourage inward investment by companies investing in the emerging electronic world.
1.5 The Consultation Paper is very imprecise in its use of terms, which makes it difficult to determine exactly the implications of some of the proposals. In particular there is an over-emphasis on the need to obtain the keys of encrypted information being communicated. The reference to Encryption Services in the Title of the Paper reflects this. Future proposals should recognise the different uses of cryptography and types of service that can be offered, and how regulation will vary between them. The Paper also assumes particular technical solutions (especially for the management of keys used for confidentiality). Any proposed legislation must be technically neutral if it is not to need continual amendment to cater for new technologies and applications.
1.6 In order to understand better how these proposals might affect industry, a set of typical scenarios was created. These were used to identify where licensing might be required in the business environment, and to draw conclusions on the extent to which industry could require TTP licences under these proposals. These scenarios are attached as an Annex for information. The CBI would be happy to discuss their implications with the DTI.
1.7 The CBI considers that, overall, the proposed legislation will not create an environment that encourages UK industry to exploit the opportunities offered by electronic commerce. These proposals can be interpreted as placing a substantial regulatory burden on all companies trading electronically, and appearing to focus on the needs of law enforcement to access keys used for confidentiality at the expense of the needs of industry for an environment in which public key based processes for creating trust in electronic commerce can rapidly be established.
1.8 These points are covered in more detail in the answers to the Questions listed in Section VIII of the Consultation Paper, included in this response. We have also provided in an Appendix to this response a detailed paragraph by paragraph commentary on the Consultation Paper.
2. A Way Forward
2.1 The CBI would like to see a clear distinction made between the different uses of cryptography and types of service that can be offered. The way regulation is applied can vary accordingly. In particular, the CBI would propose that cryptography services provided in support of legitimate business activities be treated differently from those offering commercial or public cryptographic services as a business to the general public. This would enable industry to operate internationally with minimum regulatory overheads while creating trust in commercial services for smaller businesses and individuals.
2.2 The CBI suggests that a better approach would be for the legislation to define clearly the Principles that need to be followed for provision of cryptography services of different types and use. The legislation can then provide mechanisms for the verification of conformance to those principles that are relevant in different situations. For those offering commercial cryptographic services to the general public, this could be a full licensing process, while for businesses providing such services purely in support of their business operations this could be by a simple registration process, or by a simple open licence application. This would remove from industry the burden of setting up expensive independent cryptography services while ensuring that the essential mechanisms to meet government access needs were, if appropriate, in place. Such an approach could also more easily be technically neutral.
2.3 The CBI considers that significant additional work needs to be done in other areas such as liability, relationships with existing and proposed legislation (such as to include the effects of the Data Protection Directive), relationships with other initiatives (especially internationally), recognition of digital signatures, and licence terms and conditions. There is also the need to consider the implications of proposals being put forward by the newly elected government such as adoption of the European Convention on Human Rights. We recommend that further consultation take place before draft legislation is drawn up. We are concerned lest legislation is rushed through that requires so much interpretation that UK industry is severely restricted and people lose trust in the licensing system because it is too confusing.
2.4 This could, with advantage, be prioritised with initial legislation focusing on establishing trust services as part of legitimising use of electronic transactions, and altering The Interpretation Act so that all future statutes are interpreted in an electronic friendly way unless they contain an express provision to the contrary.
Part 2 - Answers to Specific Questions
This section provides views on the Questions listed in Section VIII of the Consultation Paper. In each case the Question is repeated, with the CBI view following.
Note that, throughout these answers, the term cryptographic services has been used rather than encryption services, since the former is more representative of what industry needs and uses. It is also consistent with the terminology used in the OECD Cryptography Policy Guidelines.
Para 50. Whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate in this context.
The CBI considers that the proposals as written in paragraphs 48 are unduly restrictive, and do not recognise the way that industry operates. The exclusions defined here are too imprecise - for example, what is meant by a closed user group or employee - and appear to conflict with statements in paragraph 68. As can be seen from the scenarios in Appendix A, companies form complex relationships both internally and with other organisations. Such relationships already imply trust relationships, and industry is already extending these to include trust in public key infrastructures and exchange of confidential information electronically. Examples that would appear to require licences for providing cryptographic services under the current proposals are consortiums, virtual corporations and relationships with and between groups of suppliers. However, since most companies will interact with people and organisations outside their control, they will inevitably interact with a licensed TTP, resulting in a need for them to become licensed whatever the exclusions. Paragraph 69 appears to acknowledge this.
The exclusions in paragraph 49 are also unclear, and could be technically dependent. For example, it is not clear if applications supporting the SSL or SET protocols would be exempt.
Overall, the CBI is concerned that exemption on the grounds described would require very detailed definitions and would always be subject to complex interpretation. We recommend that a different approach be taken, with legitimate business having the ability to register business-related cryptography services rather than having to provide the full, independent TTP environment required by these proposals.
Para 54. Whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some for of rebuttal presumption for the recognition of signed electronic documents.
The vast majority of current written signatures are accepted on the basis of mutual trust, and there is no obvious reason why this should change with digital signatures. Where additional confidence is required (in situations equivalent to the need for witnesses to a written signature, for example) there may be a need to ensure that such digital signatures are certified by a Certification Authority recognised contractually between the parties involved. This may be the Certification Authority service provided within an organisation (for example where an organisation is exchanging information with a contracted supplier) or by a mutually agreed third party. There is no business need for such third party to be licensed.
Where business is carried out with people with whom no contractual relationship exists (for example with a member of the public) there would be advantage in ensuring that their public keys are certified by a trustable authority. In such cases there could be advantage in such public certification authorities being licensed.
There is a general need to provide a better legal framework for the recognition of electronic documents and signatures. Care must be taken to ensure that any legal framework reflects the way in which digital signatures are used. Digital signatures are one technical means of achieving certain business functions in the electronic world, and it is the function that needs to be legally recognised. This may require more than just confirmation that the certificate attached to a public key is valid. As pointed out in the Consultation Paper, the Society for Computers and Law has done work in this area and concluded that 'These are complex issues and cannot be rushed. Such changes will possibly help to underpin secure electronic commerce for a long time to come. We cannot afford therefore to get it wrong.”, so any legislation in this area should be carefully considered, including the impact of TTP licensing. However, legislation to legitimise the use of electronic transactions would be useful in the short term. A rebuttal presumption could introduce a positive incentive for industry to use electronic transactions, but would need to take account of factors such as the erosion of cryptographic strength over time. A transaction that is secure today may not be seen as secure in 6 years time (the statutory limitation period).
Para 60 The Government invites views on the appropriateness of these arrangements for the licensing and regulation of TTPs.
The CBI considers that the licensing approach proposed is too restrictive, especially if all licences require the level of investment implied by the criteria in Annex C. Although it is implied that licences are only needed where cryptographic services are offered to the public, interpretation of this elsewhere suggests all businesses will be forced to licence their cryptographic services as well leading to a huge demand on the licensing authority.
The CBI recommends that the licensing process be different for different types of cryptography service, and for different types of use. Full licensing, as proposed, would be appropriate for those offering cryptography services as a commercial service or business to the general public. However, some form of registration or open licensing arrangement (such as exists now for export of certain goods) would be more appropriate for use within a legitimate business context.
The CBI sees no reason why licences should be renewable. Provided service providers conform to the terms of their licence it should remain in force indefinitely.
Para 65 The Government seeks views on the proposed conditions.
While the set of defined licence conditions may be appropriate for the most stringent commercial cryptographic service provision to the general public, the CBI suggests that a subset of these conditions would be appropriate not just for the licensing of specific services, but also for the licensing of different types of use by legitimate businesses, as discussed earlier. Indeed such costly licence conditions will positively discourage investment in cryptographic service provision (especially by smaller entrepreneurial firms) to the detriment of UK business overall.
Para 70 The Government invites comments on whether specific exemptions for particular organisations offering encryption services may be appropriate, depending on the nature of the services offered.
As discussed in the answer to paragraph 50, the exclusions do not recognise the complex ways in which business is conducted. Statements in paragraphs 66-69 also appear to contradict or ignore statements in paragraph 48 - for example on closed user groups. Finally paragraph 69 effectively admits that any exclusions are, in practice, meaningless. These proposals would also discourage organisations from basing in the UK cryptographic services supporting particular industries - such as the banking industry or the shipping industry - to the detriment of the UK balance of payments.
The CBI would prefer to see the licensing process applied in a way that did not mandate the need for companies to create expensive, multiple independent TTPs within their organisations in order to do business. The proposed exclusions appear not to achieve this.
Para 71 The Government also invites comments on whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK.
If the UK is to become a leading player in the emerging world of electronic commerce, it must encourage investment in businesses offering a range of relevant services to customers world-wide. A distinction needs to be made between services provided in a business context (perhaps within a closed user group), and services offered on a commercial basis to the general public. Any unreasonable restrictions on the former will damage the ability of the UK to exploit this emerging opportunity since trust is established through commercial arrangements between the parties involved and strong licensing conditions would be an additional cost burden. Where services are offered commercially to the public world-wide, strong licensing conditions may be seen as a benefit, and encourage the establishment of such services in the UK, provided the cost of conforming to those licence conditions is not so high as to discourage investment.
Para 81 The Government seeks views on whether secure electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP should be introduced.
While the CBI recognises the advantages of providing a central repository to manage legal access to confidentiality keys, we have two major concerns.
First, any such repository must be seen to be completely independent of any government agency or control, and of control by the law enforcement authorities. It must also report publicly on its operations, be able to present on request public legally binding audit trails of its operations and be liable for any faults.
Second, any technology that is required to enable the automatic operation of the repository must be demonstrated to conform to a publicly available security policy. Given that most products that could be affected by such technology are sourced from outside the UK, it will also be necessary for non-UK product suppliers to agree to support such technology. Enforced use of a technology supported only in the UK would cripple UK organisations that trade internationally.
There also needs to be a clearer definition of exactly what is handed over on such requests. Technologies for encrypting information differ between products, and whether the information is being stored or communicated. For example, Microsoft Word can encrypt documents using a local key provided by the user; firewalls providing 'IP tunnelling” encrypt all external communications between two firewalls using a random session key generated once they have been mutually authenticated. Associated information on certificate formats or algorithms used may also be needed.
There are other issues in this process that need clarification. An example is the need to inform the owner of a key that has been accessed under warrant, but who is subsequently not charged, that the key has been compromised and should be changed. Who carries the cost in such cases is not defined.
Para 82 The Government also seeks views on whether the legislation specifically needs to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy.
The CBI considers it desirable that the legislation should refer to other forms of legal access - for example legal access provisions for the purposes of other legislation, such as insolvency.
Some consideration should be given as to how to deal with privileged information, for example that between a solicitor and their client. An appropriate mechanism must also be incorporated specifically to protect information where it relates to the obtaining and giving of legal advice in relation to a prosecution.
Para 84 The Government seeks views on whether deliberate (and perhaps wilfully negligent) disclosure of a client's private encryption key should be a specific criminal offence, or whether existing civil and criminal sanctions would suffice.
The Data Protection Act and Computer Misuse Act were not drafted with this legislation in mind. Therefore this legislation should also make express provision for remedies for the unauthorised deliberate, reckless or negligent disclosure of a private key of any form. This should apply even where the discloser of such keys is not an individual, or a public or private company but, for example, a government agency or a law enforcement body. The CBI recommends that this be a criminal offence to reinforce the trust in those providing commercial cryptography services to the general public. The government’s proposals in this area would need to be further consulted upon once the draft proposals have been prepared.
Para 89 The Government invites comments on whether the principle of strict liability (as described in para 86-88) is appropriate in these circumstances.
The CBI is not entirely clear what is being proposed, with both a system of strict liability and a Tribunal, which appears to be assessing damages. However, the principle intended where strict liability is applied may be reasonable subject to clarification of detail. For example, the maximum must be sufficiently large to make the resultant compensation reasonable; the TTP should be liable for any unauthorised disclosure of any information provided in confidence or any service negligently supplied, not just disclosure of encryption keys; this liability should extend to all types of employee (including any associates or contractors used). The liability of agents requesting access to or legitimately handling keys is also not clear.
Para 91 The Government seeks views on whether, in principle, an independent appeals body (such as a Tribunal, separate from that referred to in para 92) should be created.
The CBI strongly supports the creation of an appeals body that is independent of both the regulatory and licensing authorities and of Government control.
Para 93 The Government seeks views on whether the duties of an independent Tribunal, as listed in para 92, are appropriate.
The CBI strongly supports the creation of an independent Tribunal with the powers described in Para 92. Its part in establishing liability needs clarification, as stated in the answer to paragraph 89.
Annex C Would mandatory ITSEC formal evaluation be appropriate.
The CBI sees ITSEC evaluation as adding significantly to the cost of provision of cryptography services, and to the time taken to set them up. If the interpretation of these proposals does result in most companies having to licence their cryptography services, then mandatory ITSEC evaluation would be an unacceptable burden. It would also discourage investment by smaller service companies.
The CBI believes that it would be sufficient to product a clear set of Guidelines or Codes of Practice on the security system, business and administrative processes that would need to be provided for different types of cryptographic service. There could also be a recommended Security Policy for cryptographic service providers to follow. These documents could be used to confirm that service providers are, indeed, conforming to licence conditions. ITSEC evaluation of products used by service providers could provide an additional, optional, degree of confidence that commercial services offered to the public have integrity, but this may not be cost effective.