UK Notarial Forum Response
to the DTI Consultation Paper
Licensing of Trusted Third Parties for the Provision of Encryption Services
This Comment was published on 15 July 1997.
Citation: UK Notarial Forum, 'Response to the DTI Consultation Paper, Comment, 1997 (3) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/Consult/ukcryp/uknotar.htm>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1997_3/notarial/>
The United Kingdom Notarial Forum is the association of notarial bodies in the United Kingdom. It comprises the Society of Public Notaries of London, The Notaries Society, the Law Society of Scotland and the College of Notaries Public in Northern Ireland.
A Working Party of the United Kingdom Notarial Forum has considered the Consultation Paper on "Licensing of Trusted Third Parties for the Provision of Encryption Services" and has the following comments to make:-
SECTION VI : STRUCTURE OF THE PROPOSALS
43. The policy considerations for HMG which have determined the scope and content of the proposed legislative headings which follow are outlined below:-
The Working Party questions whether business can in fact be constrained in the manner envisaged in the consultation especially in relation to electronic transactions. Licensing is critical in the view of the government for security, but is it necessary for trust in business or consumer protection?
From the notarial point of view, the self regulation of the notarial profession is a sufficient form of licence. There are existing parallels for example the regime under the Financial Services Act 1986.
Positive Licensing Regime
Voluntary use of TTPs
45. The legislation is directed solely towards the provisionof encryption services to subscribers in the UK and notthe useof encryption. Organisations offering or providing encryption services to the public in the UK, including those providing or advertising such services from outside the UK, will be required to be licensed. (The Government is also considering whether UK based bodies which provide encryption services solely to clients outside of the UK should also require licensing). Users, however, will remain at liberty to choose whether to make use of TTPs, or to make other arrangements for their encryption requirements.
The Working Party is of the view that the definition of the provision of "encrypted services" is defective. Territoriality is a concept which is virtually impossible to determine in the computer context.
Paragraph 74 of the consultation paper implies a choice of the recipient, so it follows that if a client does not choose a recipient no licensing is required.
The Working Party considers that the difference between "providing" and "using" encryption services may be more illusory than real and is concerned that no reference is made to archiving of encrypted material.
The Working Party is of the view that the difference between revocation services for confidentiality and for integrity is insufficiently defined. The very purpose of integrity is to enable safe storage and archiving, so how can the Government take the view that it has no intention to access private keys used only for these functions?
Key recovery from licensed TTPs
47. The Government recognises that further legislation may be required in the future to enable the appropriate authorities to obtain private encryption keys other than those held by licensed TTPs.
Exclusions (e.g. intra-company TTPs)
50. The Government invites views on whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate in this context.
The Working Party perceives no problems with the exclusion envisaged.
54. The Government invites views on whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of rebuttable presumption for the recognition of signed electronic documents.
The Working Party was of the view that legislation would be a good start to remove some of the doubt about contractual rights and responsibilities regarding encryption services and would obviate the vagaries of contractual agreements. Furthermore if the document is electronically or otherwise notarised it should be considered to be self-proving in order to reduce the costs, delay and uncertainty of litigation. From the consumer protection point of view, this would prevent a contract being forced on a consumer by a more powerful or dominant party in the market place.
Convention on key exchange to underpin TTP legislation
55. Although the legislation will require foreign TTPs offering or providing encryption services to clients in the UK to have a registered base in the UK (which will allow for the licensing of non-UK bodies with no trading presence in the UK), there will be no provision requiring UK clients to use a UK licensed TTP. They are, and will be, free to register with foreign TTPs. It will therefore be necessary (for law enforcement purposes) to establish arrangements with other countries for the exchange of keys. The UK Government believes that these arrangements will be on the basis of dual legality i.e. whereby the criteria for access is satisfied in both countries. The keys held by UK licensed TTPs will not, under this legislation, be permitted to be disclosed to the authorities of other countries unless such requests satisfy UK law and are authorised by the competent UK authority. A fuller description of such arrangements is at Annex B.
The Working Party feared that the requirement for dual legality could prove to be a significant hindrance to the competitiveness of UK business to deal with the global market. Dual legality can only come about when the majority of trading nations have established criteria for access. As an interim measure the UK should enter into the process of bilateral arrangements with other States.
Licensing Criteria & Conditions
56. It is intended that the licensing conditions, as opposed to the criteria on which licences will be granted, will not be prescribed in the legislation.
57. The legislation will provide that bodies wishing to offer or provide encryption services to the public in the UK will be required to obtain a licence. The legislation will give the Secretary of State discretion to determine appropriate licence conditions.
The Working Party is of the view that the licence conditions should be subject to adequate scrutiny in the parliamentary process by being included in primary legislation. "In the UK" begs the territoriality issue again.
59. The duration of licences will be a minimum of five years. Licence fees will be payable both on the grant of a licence and annually thereafter to meet the cost of their issuing and enforcement.
The Working Party is of the view that the cost of the administration will be passed on to the consumer and accordingly the costs should be proportionate to the transactions. The Working Party questioned how the scale would be adjusted.
60. The Government invites views on the appropriateness of these arrangements for the licensing and regulation of TTPs.
The Working Party is of the view that nothing as crucial as this should be brought forward without full consultation. The suggestion in Paragraph 58 that the DTI could be the enforcing agency must be openly debated and vigorously examined.
Licensing Criteria & Conditions
62. Before the Licensing Authority will deem an organisation fit to receive a licence to provide encryption services, it will need to be satisfied as to, inter alia:-
- competence and trustworthiness of information security personnel
- competence and trustworthiness of directors
- competence of information security management
- technical assurance of IT security equipment use for key management and storage
- adherence to quality standards and procedures
- adequate liability cover
- ability to meet legal access conditions
- the TTP’s business plan and longevity of interest in market
- isolation of TTP function from other business functions
- interface requirements to other Licensed TTPs
- structure and ownership
65. The Government seeks views on the proposed conditions.
The Working Party notes the absence of a specific reference to complaints resolution. Perhaps the issue of adherence to quality standards and procedures includes this but it should be specifically referred to.
70. The Government invites comments on whether specific exemptions for particular organisations offering encryption services may be appropriate, depending on the nature of services offered.
The Working Party is of the view that exemptions should be available for those who are already subject to conditions consistent with the envisaged rules, such as those rules or regulations governing professional organisations.
71. The Government also invites comments on whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK.
The Working Party is of the view that if it is felt to be desirable to licence encryption services within the UK, then it follows that services provided outwith the UK should also be licensed but enforceability would pose a difficult problem.
72. The legislation will prohibit an organisation from offering or providing encryption services to the UK public without a licence. Prohibition will be irrespective of whether a charge is made for such services. The offering of encryption services to the UK public (for example via the Internet) by an unlicensed TTP outside of the UK will also be prohibited. For this purpose, it may be necessary to place restrictions on the advertising and marketing of such services to the public.
75. The legislation will also prohibit a UK licensed TTP from contracting with any non licensed TTP for the purposes of carrying out encryption services. In order to build up a TTP network it may be necessary from time to time for UK licensed TTPs to recognise non-licensed bodies from other countries where no licensing regime exists. In such cases recognition should not be given to an unlicensed body until the UK licensed TTP is satisfied that such recognition would not put at risk its ability to meet any of its obligations under this, or other, legislation, or international obligations (such as those concerning data protection).
The Working Party queried how is it proposed to effect the prohibition on offering encryption services? How will it be known that such services are being offered to the public in the UK? If overseas licensing regimes are inadequate or otherwise less rigorous service providers could gravitate to those regimes.
76. The legislation will provide that the Secretary of State may issue a warrant requiring a TTP to disclose private encryption keys (protecting the confidentiality of information) of a body covered by that warrant. Under such legal access arrangements, there will be safeguards broadly similar to those in the Interception of Communications Act 1985, under which a Secretary of State may issue a warrant requiring the interception of communications.
The Working Party is of the view that the warrant should be issued by a court, not by the Secretary of State. The court should be of a higher level than the Magistrates Court. The Working Party favours the Crown Court in England or the Sheriff Court in Scotland.
81. The Government seeks views on whether secure electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP should be introduced.
The Working Party agrees that secure electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP should be introduced.
82. The Government also seeks views on whether the legislation specifically needs to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy.
84. The Government seeks views on whether deliberate (and perhaps wilfully negligent) disclosure of a client’s private encryption key should be a specific criminal offence, or whether existing civil and criminal sanctions would suffice.
The Working Party is of the view that a client’s private encryption key should be defined in such a way to make it clear that the key is incorporeal, personal or movable property, and as such capable of being stolen, with the resultant liability to criminal and civil sanctions.
85. Other types of sanction will be necessary for non-compliance by TTPs with other licence conditions. Such sanctions may include fines, specific orders issued by the regulator, and (in extremis) withdrawal of a licence.
89. The Government invites comments on whether the principle of strict liability (as described above) is appropriate in these circumstances.
Appeals and Tribunal
91. The Government seeks views on whether, in principle, an independent appeals body (such as a Tribunal, separate from that referred to below) should be created.
93. The Government seeks views on whether the above duties of an independent Tribunal are appropriate.
The Working Party was of the view that the existing court structure in the UK should be used and that procedures should be revised to ensure speedy resolution of issues by judges properly trained to deal with them.
Location of TTPs
94. All organisations wishing to be licensed in the UK as TTPs will be required to register a UK address (if they do not already have one). This address is necessary to ensure compliance with the legal access conditions, Regulatory Orders and other sanctions. It will not be necessary for the escrowed keys themselves to be held in the UK, but only that they are delivered to the UK.
The Working Party is of the view that since licensed organisations are dealing with the concept of trust, an accommodation address would not be sufficient - it should be more than that. The Working Party questioned whether address means a physical or an internet address?
Explanation of Licensing criteria
- Competence of information security personnel.
It will be necessary to ensure that TTP security personnel are competent, suitably qualified, trusted and have successfully completed a recognised security vetting procedure.
- Competence of directors.
Checks will need to be undertaken to ensure that the background and other business interests of directors would not compromise the trust placed in a TTP.
- Competence of information security management.
TTPs will need to demonstrate that their system security policy is suitable for TTP operations and consistent with information security standards (such as BS 7799).
- Technical assurance of IT security equipment used for key managements and storage.
Evaluation of the security system and IT security products will need to be undertaken, for example UK ITSEC, although formal evaluation by an independent third party may not be the sole evaluation procedure.
The Government seeks comments on whether mandatory ITSEC formal evaluation would be appropriate
- Adherence to quality standards and procedures.
e.g. ISO 9000.
- Assessment of business plan and longevity of interest in market.
TTPs will need to demonstrate that their interest in providing a TTP service is not short term. They will also need to demonstrate that adequate procedures are in place to ensure that integrity and confidentiality of all information, in the event that the TTP withdraws such services.
- Isolation of TTP function from other business functions.
Many organisations may wish to operate as TTPs while continuing other business interests. A TTP may need, therefore, to demonstrate that the TTP function is isolated from its other business functions.
- Interface requirements to other Licensed TTPs.
In order to achieve widespread interoperability, TTPs will be required to operate to common interface requirements.
- Company structure and ownership.
Checks will be made to ensure that those who own, or effectively control, an organisation, are suitable candidates for ownership of a TTP.
The Working Party is of the view that greater clarification of what the criteria involve would be advisable in order to avoid an onerous accumulation of different sets of standards.