|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. |
28 April 1998: Four DTI files listed below in original DOC format, Zipped
into one:
http://jya.com/uk-ecomm.zip (22K)
27 April 1998
Source: UK Crypto mail list
This replaces an earlier txt version posted by
<martin@mrrl.lut.ac.uk>
From: "Caspar Bowden" <Caspar.Bowden@qualia.co.uk> To: <ukcrypto@maillist.ox.ac.uk> Subject: UK crypto policy announcement today at 3:30pm Date: Mon, 27 Apr 1998 12:36:35 +0100 I've just been informed that there will be an announcement on UK crypto policy today in Parliament (answer to a written question at 3:30pm). No obvious reference on : http://www.parliament.the-stationery-office.co.uk/pa/cm199798/cmordbk1/80427w01.htm but could be Q.150 Provenance sounds official from DTI -- Caspar Bowden - Director, Qualia Internet Consultants 41 Great Percy Street, London WC1X 9RA Tel: +44(0)171 837 8706, Fax: +44(0)171 827 6534
Date: Mon, 27 Apr 1998 16:15:00 +0100 From: Hendon David <David.Hendon@CIID.dti.gov.uk> (Tel 0171 2151779) To: ukcrypto@maillist.ox.ac.uk Subject: UK electronic commerce announcement today Good afternoon colleagues As promised, we are now bringing you the definitive version of the announcement that was made by Barbara Roche MP this afternoon in written answer to House of Commons Parliamentary Question Q150. The attachments to this email are the PQ and Answer, the associated statement and the summary of responses to the consultation we carried out in April 1997. David Hendon Nigel Hickson **** DOCUMENT TYPE INFORMATION **** ************************************* Mail has the following body parts: Body 1 : # 118# ANA27P.DOC 27.04.1998 13:08 24576 Body 2 : # 118# PQANS27P.DOC 27.04.1998 12:53 13312 Body 3 : # 118# RESPONS.DOC 21.04.1998 14:03 15872 Body 4 : # 118# RESPANN.DOC 21.04.1998 13:52 13824 [DOCs converted to HTML and arranged 2, 1, 4, 3 below]
PQANS27P.DOC 27.04.1998 12:53 13312
.
.
Draft question
To ask the PBT how the Government intends to encourage the use of electronic commerce, and if she will make a statement.
Draft response to written PQ
The Information Age strategy launched by the Prime Minister on 16 April demonstrates the Government's commitment to electronic commerce. Electronic commerce is crucial to the future prosperity of our economy and to the competitive position of our industries, and the UK is well placed to play a leading role. Building on the success of the Programme for Business, the Government is now putting in place the policy and legal framework in which electronic commerce can flourish. From schools to high finance in the City the government is committed to ensure everyone benefits from advanced electronic communications.
It is also important to make electronic commerce more secure. Users cannot afford to let the information they transmit across the Internet (or any other network) be compromised. They must have confidence that both the integrity and confidentiality of their information will be protected. At the same time, users must be able to trust both the technologies which allow such security and the commercial organisations providing it. To that end, I am announcing today proposals for legislation to introduce voluntary licensing arrangements for bodies offering cryptographic services to the public, to ensure that minimum standards of quality and service are met. They will apply to both Certification Authorities (providing electronic signature services) and other bodies providing encryption services. The arrangements will set minimum technical and competence standards for bodies that wish to seek licenses. The legislation will also enable users to place greater reliance on digital signatures, through a presumption of legal recognition for those signatures generated by licensed Certification Authorities. Fuller details of this policy are set out in a Statement which is being lodged in the libraries of both Houses.
It is not, however, in the interests of business or the public for criminals and terrorists be able to exploit these new technologies to disguise or conceal their activities. To meet these concerns, the Government will also introduce legislation making provision for law enforcement agencies to gain legal access, under a properly authorised warrant and on a case by case basis, to encryption keys or other information protecting the secrecy of stored or transmitted information. The purpose of these new powers will be to maintain the effectiveness of the existing legislation designed to protect the public from crime and terrorism.
ANA27P.DOC 27.04.1998 13:08 24576
The following statement outlines the measures announced earlier today by the Parliamentary Under Secretary of State at the Department of Trade and Industry, Barbara Roche, in response to a question tabled by Dr Stephen Ladyman MP, concerning the Government's policy on secure electronic commerce. Along with this Statement the Department is publishing separately a Summary of Responses from a previous consultation exercise undertaken in March 1997 on the "Licensing of Trusted Third Parties for the Provision of Encryption Services".
2. The Government places considerable importance on the successful development of electronic commerce. It will, if successfully promoted, allow us to exploit fully the advantages of the information age for the benefit of the whole community.
3. The Government is committed to the successful development and promotion of a framework within which electronic commerce can thrive. Electronic commerce, as indicated below, is crucial to the future growth and prosperity of both the national economy and our businesses. Although the prime economic driver for electronic commerce may currently lie with business-to-business transactions, it is clear that consumers (whether ordering books or arranging pensions) will also directly benefit. The following are some of the activities we are actively pursuing with business to develop the environment to achieve these goals:
(i) Information Age
The Government set out its vision for the UK in "Our Information Age", launched on 16 April. The Prime Minister, in his foreword, highlighted the importance of capitalising on the opportunities of the information age to improve people's quality of life, their education and our wider industrial competitiveness. He noted how information technology was central to these aims and how new developments in communications and computing would be reflected in proposals to help modernise government. The Government's approach is based around five central themes: transforming education, widening access, ensuring competition and competitiveness, fostering quality and modernising Government.
(ii) Information Age Competitiveness Working Party
The Information Age Competitiveness Working Party, one of six groups established as part of the Competitiveness UK Initiative, has considered how companies can exploit fully the new opportunities presented by the information age. The Working Party, made up of senior representatives from a wide range of business sectors, has made a series of practical recommendations which will be considered by the President of the Board of Trade during the development of the White Paper on competitiveness, which is due to be published in the Autumn.
(iii) Legal Framework
Later this year, the Government will be launching a consultation to assess the impact of digital convergence on the legal and regulatory framework. In addition to questions about the effect of convergence of broadcasting and telecommunications, this work will also explore whether there are other aspects of the general framework which may need some adaptation to ensure they are fully suited to dealing transparently with electronic commerce as well as traditional commerce. The Government's intention is to ensure, as far as possible, that the law is technology neutral in its application, providing the same legal environment on-line as off. A first, but important, aspect of this work is the legal recognition of digital contracts and signatures. The proposed legislation outlined below will start to address this.
(iv) Internet content
As the Internet becomes a mass medium it is only right to ensure that the most vulnerable users are protected. This has meant supporting, and encouraging, such initiatives as the Internet Watch Foundation (IWF) to ensure that the law is applied on-line in the same way as it is off-line. Internationally we are co-operating with both the EU and OECD to tackle this important problem. We thus support the aims of the Action Plan on Harmful and Illegal Content on the Internet, which is currently being discussed in a European Council working group.
(v) Benchmarking
A new international benchmarking study to be published by the DTI next month shows that the UK is ahead of Germany and France on many measures of uptake and use of networked technologies, the tools for electronic commerce. For example, 49% of UK companies have Internet access (compared to 44% in Germany and 24% in France), and 37% of UK companies have websites (30% in Germany and 14% in France).
(vi) Support Centres
Local Support Centres (LSCs), based on Business Links and their equivalent in Scotland and Northern Ireland, are key to local delivery of the Programme for Business. These centres provide easily accessible and impartial local advice, to encourage SMEs to reap the benefits of the information age. Over 16,000 companies have now visited LSCs, and have received advice or training on how to use information and communication technologies such as e-mail and the Internet, which are key to the development of electronic commerce. 60 sites are now open, with the aim of 80 operational sites by the end of 1998.
4. To achieve our goals, however, electronic commerce, and the electronic networks on which it relies, have to be secure and trusted. Whether it be the entrepreneur E-mailing his sales information to a potential supplier or the citizen receiving private electronic advice from their doctor; the communications need to be secure. In a recent DTI survey 69% of UK companies cited security as a major inhibitor to purchasing across the Internet. Good information security, therefore, is a vital ingredient which all IT producers and users should pay heed to. The DTI, which has a dedicated unit involved in giving advice to business on this important business issue, is thus introducing an Accreditation Scheme to assess businesses' compliance to BS 7799, the national standard on information security. The Scheme, being launched on 28 April at Infosec 98, will allow businesses the opportunity to have their implementation of information security professionally certified; giving their trading partners and customers greater confidence and trust. The Department is also chairing an industry working party to review and update the Standard with the aim of making it a global benchmark for all those organisations which take information security seriously.
5. In addition to best practice, however, our businesses also need access to appropriate technical solutions to protect the information they send across public networks. And perhaps the most important tool is Cryptography; the use of digital signatures and encryption. Whether we are concerned with the integrity of information (ensuring its content has not been altered) or its confidentiality (keeping it secret), the appropriate use of cryptography can be of major benefit to all IT users.
6. There are, however, a number of different characteristics of cryptography, which make it a complex issue. These range from its benefit to electronic commerce and privacy, as noted above, to the concerns strong encryption raises for law enforcement. Thus cryptography policy must take account of the needs of the user (whether an individual or a business), the government and the international community. For the former, issues of trust and confidence are paramount. Whether the requirement is for the integrity of data (vital in many forms of electronic commerce) or its confidentiality (important for business and the citizen) the cryptography mechanism needs to be robust and reliable. Encryption keys protecting the information must be strong enough to deter industrial espionage and hacking. For the Government there are also good reasons why cryptographic services should be robust; they help to protect economic and intellectual assets and enable new services to be delivered to the public (such as electronic tax returns); as well as reducing IT fraud and hacking.
7. The measures the Government plan to introduce take account of these differing aspects of cryptography and also the responses to the consultation process on the licensing of Trusted Third Parties initiated by the previous Administration. In respect of the latter, the Government has responded to business concerns and criticisms of the previous "mandatory" approach to licensing. Thus, as will be explained below, the new proposals will neither oblige service providers to obtain licences nor to use any particular encryption products or technologies. In addition there is now a clear policy differentiation between digital signatures and encryption; another concern of industry during the consultation process. The Department in conjunction with this Statement is publishing an independent summary of the responses from the consultation exercise.
8. In recognising the international nature of electronic commerce the Government has, of course, been concerned that policies on encryption should, where appropriate, be consistent with the emerging international consensus. The measures announced today are, therefore, fully compatible with the OECD Guidelines on Cryptography Policy which were agreed in March last year; and, as far as possible, consistent with the developments taking place in UNCITRAL(1) on electronic signatures.
9. The Government has also been working closely with the European Commission, especially in respect of our current tenure of the EU Presidency, to ensure that our policy development is compatible with that outlined in the Commission's Communication on Encryption and Electronic Signatures(2) released last October. We look forward to working with the Commission and member States on the proposed Electronic Signature Directive which will, we believe, foster the development of a pan-European framework for cryptography services. In respecting these developments the Government recognises the clear differences in approach that need to be afforded to the development of electronic and digital signature services (for integrity) on the one hand, and to encryption (or confidentiality) services on the other.
10. In our efforts to promote the use of electronic signature and encryption services we are also working with our international colleagues to update and streamline the export controls on encryption products. Such controls, we believe, need to reflect the commercial requirements for robust and trusted encryption products whilst also taking account of national security.
11. We therefore intend to introduce legislation to license those bodies providing, or facilitating the provision of cryptography services. Principally these will be Trusted Third Parties (the generic term for bodies that provide one, or a variety of cryptography services to their clients), Certification Authorities (bodies which mainly issue certificates for electronic signatures) and Key Recovery Agents (responsible for facilitating the "recovery" of encrypted data). Such licensing arrangements will be voluntary, as business has requested, although we would hope that organisations providing services to the public will see the benefit of adhering to a high standard, and the public confidence that this will bring. We intend that licensed Certification Authorities - conforming to the procedural and technical standards which such licensing will confer - would be in a position to offer certificates to support electronic signatures reliable enough to be recognised as equivalent to written signatures; an essential ingredient of secure electronic commerce. Licensed Certification Authorities offering secure electronic signature services will, we believe, make a significant contribution to electronic commerce. They will provide trust that the authentication process is reliable (ie an owner of an electronic or digital signature certificate is who they say they are) and consumer and business confidence that the signature mechanism employed is robust and secure.
12. Organisations facilitating encryption services (for example through offering key recovery or providing key management services for confidentiality) will also be encouraged to seek licences. Such bodies can offer sound business benefits to their clients. Increasingly organisations are recognising the necessity of being able to recover critical data, which their staff may have encrypted, or the text of the messages they have sent to clients. In such circumstances the permanent loss of an encryption key - perhaps because an employee has left - could be very damaging. Licensed service providers that provide encryption services will, therefore, be required to make recovery of keys (or other information protecting the secrecy of the information) possible through suitable storage arrangements.
13. In developing its policy on encryption, the Government has given serious consideration to the risk that criminals and terrorists will exploit strong encryption techniques to protect their activities from detection by law enforcement agencies. Encryption might be used to prevent law enforcement agencies from understanding electronic data seized as the result of a search warrant or communications intercepted under a warrant issued by a Secretary of State. This would have particularly serious implications for the fight against serious crime and terrorism. For example, during 1996 and 1997, lawful interception of communications played a part - often the crucial part - in operations by police and HM Customs which led to 1,200 arrests; the seizure of nearly 3 tonnes of Class A drugs, and 112 tonnes of other drugs, with a combined street value of over 600 million; the seizure of over 700 million in cash and property; and the seizure of over 450 firearms. During this period, around 2600 interception warrants were issued by the Home Secretary. (In line with the practice of the Interception Commissioner, this figure relates to all warrants issued by the Home Secretary, not just those for the Police and Customs.)
14. In response to these concerns, the Government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data (in effect, the encryption key). This does not include cryptographic keys used solely for digital signature purposes. The new powers will apply to those holding such information (whether licensed or not) and to users of encryption products. They will be exercisable only when appropriate authority has been obtained (for example, a judicial warrant for the purpose of a criminal investigation or, in the case of interception of communications, a warrant issued by a Secretary of State) and will be subject to strict controls and safeguards.
15. The purpose of the proposed powers is solely to maintain the effectiveness of existing legislation in response to new technological developments. The powers apply only to information which itself has been, or is being, obtained under lawful authority. The Home Office will bring forward detailed proposals in due course.
16. In concluding, electronic commerce offers tremendous opportunities to us all; but unless we harness those opportunities in policies that are both balanced and internationally compatible then trust and security will be the losers.
1. The United Nations Commission on International Trade Law
2. COM (97)503
RESPANN.DOC 21.04.1998 13:52 13824
ANNEX C
DTI Public Consultation Paper on
Licensing of Trusted Third Parties
for the Provision of Encryption Services
Introduction
1. There were 260 responses, 129 by conventional mail or fax, and 131 by e-mail. 102 were from organisations, and 158 from individuals. Many expressed their views strongly. Some were very short and some very detailed. Some comments appeared to be based on misconceptions, and some respondents seemed not to have fully read the paper. Only a few approved the proposals without qualification. However most approved the idea of licensing TTPs, with consumer protection as the main rationale. Most had some criticisms of the document, and some rejected it almost entirely.
2. A large number of responses began by welcoming the fact that a consultation paper had been produced at all on this topic. They stressed the importance of electronic commerce and recognised the need for a supporting infrastructure.
3. The most common general criticism was that the paper should have more clearly separated the issue of the licensing of TTPs (in particular in their role as Certification Authorities, e.g. for digital signatures), from that of lawful access. These issues were seen as quite distinct in principle, and best addressed separately.
4. The only aspect of the document to receive almost universal approval was the proposal to legislate for recognition of digital signatures by the courts. With regard to the authentication of digital signatures by licensed TTPs, a majority favoured the 'rebuttable presumption' mechanism over the alternative of enabling or encouraging contractual recognition.
5. The following paragraphs cover the other major issues commented on by the respondents. Responses to the specific questions posed in the consultation paper are summarised in tables on pages 4 and 5.
Mandatory versus Voluntary Licensing
6. Among those who approved of the licensing of TTPs, a significant and weighty minority argued for voluntary licensing, even though this was not explicitly discussed or put forward in the paper. There was felt to be a place for unlicensed TTPs if the market wants them. There were many calls for clarification of the suggested exclusions from the licensing regime, and several respondents asked for their own exclusion. One of the reasons for advocating voluntary licensing was this difficulty of defining exclusions.
7. There were fears that the proposed licensing conditions would be too burdensome and costly. A tiered approach was advocated by some, with varying TTP licensing conditions depending on the range of functions offered. There were many pleas from business organisations for the maximum amount of freedom to be left to the market, and many expressed confidence that in this fast-changing area market mechanisms would produce the most effective solutions. However the Data Protection Registrar, referring particularly to the requirement for consumer protection, broadly supported the licensing proposals.
Sanctions, and Prohibitions
8. Most respondents thought that new criminal offences would be needed to cover the deliberate or reckless disclosure of a userÕs private confidentiality key, and most insisted the offence should also cover authentication keys. There was little support for relying on the UK Data Protection Act 1984 or the UK Computer Misuse Act 1990 as these were seen as not being adequate for this type of offence.
Liability
9. A common view from industry was that the paper should have discussed liability in an authentication/integrity context (e.g. liability for falsely authenticating a digital signature), and not just confidentiality. There was no consensus on strict liability, nor on limited versus unlimited liability. Industry considered that the market would probably produce a spread of possible options with grades of liability to match level and types of service.
International Issues
10. Business respondents in particular were concerned that any UK initiative, such as a TTP licensing regime, should be consistent with requirements in other countries and should be able to inter-operate with them. The danger of international isolation from too strict a UK regime, or a unilateral one, was stressed. The UK should proceed in collaboration with the international community otherwise there could be a danger that it would become a backwater in the world of electronic commerce. There was much support for the OECD Guidelines, and for the UK to act strictly in accordance with them; most, but not all, respondents saw the paper as conforming to them.
Lawful Access
11. The issue of access to keys for law enforcement purposes attracted by far the most comment - particularly from individuals. Much of it was fundamentally opposed to the whole concept of lawful access, and either explicitly or implicitly also rejected the existing powers for lawful access to traffic under the Interception of Communications Act (IOCA). Some saw it as an extension of IOCA to stored data. There was some suspicion of the authorities' motives, and of the possibility of them misusing their powers with regard to lawful access. There was suspicion also that the proposals would result in a significant increase in the volume of official interceptions or surveillance.
12. Many of the more technical responses questioned the effectiveness, or even the feasibility, of the key escrow proposals in the paper. Comments included:
In addition, the merits of key recovery over key escrow were argued, although there were varying understandings of those terms.
13. By far the most common single point made against the lawful access proposals however, was that the key escrow mechanism might be by-passed by criminals etc. who are the authorities' potential targets. Examples of several such by-pass techniques were given. The answer to this objection given in the 'FAQ' section of the paper ("Criminals will often make use of whatever technology is conveniently available to them...") was not considered convincing. The conclusion drawn was that the proposals would bring cost and complexity to law-abiding users while not necessarily achieving the results the law enforcement authorities want.
3rd February 1998
RESPONS.DOC 21.04.1998 14:03 15872
The Government invited comments on the consultation paper, in particular with respect to the thirteen questions (referred to by the relevant paragraph numbers in this table) given in Section VII of the paper. The following is a summary of those responses.
Questions | Responses |
Notes | ||
Whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate (Paragraph 50) | 77% agreed | 14% disagreed | 9% did not comment | |
Whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of 'rebuttable presumption' for recognition of signed electronic documents (Paragraph 54) | 37% preferred contract | 54% preferred rebuttable presumption | 9% commented neither way | Most of those that preferred the contract approach also wanted more assurance that the courts would indeed accept electronic signatures |
The appropriateness of the proposed arrangements for licensing and regulation (Paragraph 60) | 40% agreed with the proposed arrangements | 42% disagreed with the proposed arrangements | 18% did not comment | Most of those that disagreed would accept a less strict form of regulatory regime. |
Views on the proposed conditions (Paragraph 65) | 44% agreed with the proposed conditions | 27% disagreed with the proposed conditions | 29% did not comment | One of the main reasons for disagreement was that the conditions would be too expensive to meet. |
What if any, specific exemptions for particular organisations offering encryption services would be appropriate depending on the nature of the services offered? (Paragraph 70) | There were a number of organisations who specifically wanted their own services excluded for confidentiality reasons. | There is some correlation between the responses requesting exclusion and the notion of having a two or more tiered licensing regime e.g. minimum exclusions for 'CA only' type services and maximum exclusion for confidentiality services. | ||
Whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK? (Paragraph 71) | 37% agreed | 16% disagreed | 47% did not comment | One of the most common comments was that that international harmonisation was important. |
Should electronic methods for the delivery of electronic warrants by the central repository and the subsequent delivery of keys by the TTP be introduced? (Paragraph 80) | 65% agreed | 16% disagreed | 19% did not comment. | Those that disagreed did so mainly because they did not approve of the principle of lawful access. |
Does the legislation specifically need to refer to other forms of legal access including a civil court order for access to cryptographic keys used to protect information relating to civil matters such as bankruptcy? (Paragraph 82) | 44% agreed | 21% disagreed with the need to refer to other forms of legislation | 35% did not comment | |
Should deliberate (and perhaps wilfully negligent) disclosure of a client's private encryption key be a specific criminal offence, or would existing civil and criminal sanctions suffice? (Paragraph 84) | 51% thought that it would be a specific criminal offence | 19% thought that existing sanctions would suffice | 30% did not comment | Many did not see why this offence should be limited to just private encryption keys. |
Whether the principle of strict liability is appropriate in these circumstances? (Paragraph 89) | 45% agreed to the need for strict liability | 45% disagreed | 10% did not comment. | |
Whether, in principle, an independent appeals body (such as a Tribunal) should be created? (Paragraph 91) | 47% agreed | 14% did not agree | 39% did not comment | |
Whether the proposed duties of an independent Tribunal are appropriate? (Paragraph 93) | 47% agreed | 16% disagreed | 37% did not comment | |
Would mandatory ITSEC formal evaluation be appropriate? (Annex C) | 21% agreed | 44% were against | 35% did not comment | Some thought that BS 7799 certification might be more appropriate. Some thought that the use of ITSEC would be acceptable for mandatory licensing, but others thought it was too excessive and expensive. |
Converted from DOC to HTML by JYA/Urban Deadline