Cm 4417 1
Presented to Parliament by the
Secretary of State for Trade and Industry
by Command of Her Majesty
July 1999
Cm 4417 £9.70 3
The Bill is one of a series of measures we have taken since January to accelerate the adoption of electronic commerce in the United Kingdom. These include licensing new
radio spectrum for broadband wireless services; opening up BT's local network for broadband services; the introduction of the third generation of mobile phones, giving
mobile access to the Internet. These measures will enable us to lead the world in Broadband access.
The Electronic Communications Bill will help to create confidence in the use of electronic communications between businesses and their customers. It will create a legal
framework for the use of electronic signatures so that people can be sure about the origin and integrity of communications. It will help to facilitate electronic government by
removing legal obstacles so that people and businesses can, if they prefer, communicate with Government electronically rather than on paper. It allows trust to be placed in the
providers of cryptography services by introducing a voluntary "approvals" scheme and it also helps prevent the Government's existing law enforcement powers being eroded
through the criminal use of encryption; without requiring the storage of decryption keys with third parties. Finally, it simplifies the process under which existing
Telecommunication Act licences can be amended.
The legislation we propose will play a positive and important role in the Information Age which is affecting all our lives.
Michael Wills MP Parliamentary Under Secretary of State for
Small Firms, Trade and Industry
5
Part I The Consultation Document and the Government's Response to the Trade and Industry Committee's
Report
Part II Explanatory Notes The Draft Electronic Communications Bill 6
INDUSTRY COMMITTEE'S REPORT
Introduction
1. This Command Paper invites comment on the Government's proposals for an Electronic Communications Bill set out in Part II. It also sets out the Government's
response to the recommendations contained in the Trade and Industry Committee's Report 1 on the Government's previous consultation document 2 .
2. The Government welcomes the Committee's Report. It, and the other responses to the consultation document launched in March 1999, have contributed to the measures set
out in the draft Bill.
3. The Committee restricted its report to the issues raised by that consultation document, and we have followed this approach in this document. The Government looks
forward to the Committee's further report in which it intends to deal with broader issues concerning electronic commerce.
Recent Developments
4. Since the Government gave evidence to the Select Committee and the publication of the Committee's Report there have been a number of developments, which the
Government would like to highlight:
a) The Government received 252 responses to its Building Confidence in Electronic Commerce consultation document. The DTI has separately published a summary 3 , by
independent consultants, of the responses to the consultation.
b) The Government is now consulting on the draft Electronic Communications Bill. The draft Bill takes into account the responses to the consultation process, the Select
Committee's Report and discussions with interested parties over the last few months. It forms a key part of the Government's strategy for making the UK the best place in the
world to do electronic business, by starting the process of modernising the law and creating a climate in which electronic business can be conducted with confidence.
c) In parallel with the previous consultation the Prime Minister asked the Cabinet Office Performance and Innovation Unit (PIU) to consider encryption, e-commerce and
law enforcement. A task force was established and a Report 4 outlining their main findings was published on 26 May. As a result of this report, the Government has confirmed that
there will be no mandatory link between key escrow and the approvals system introduced by the Electronic Communications Bill.
d) The Government has decided not to introduce, in legislation, a rebuttable presumption of legal recognition for electronic signatures. Instead, the Government
proposes to make it clear that all types of electronic signatures will be legally admissible in Court.
1 www. parliament. uk/ commons/ selcom/ t& ihome. html
2 www. dti. gov. uk/ cii/ elec/ elec
± com. html 3 The summary is available at www. dti. gov. uk/ cii/ elec/ conrep. htm
Copies of the responses themselves are available for viewing by appointment at the DTI Library, Lower Ground Floor, 1 Victoria Street, London SW1H 0ET. Please telephone William LeSadd on 020 7215 6699
for further details. Some respondents have also made their contributions available electronically on the world wide web.
4 www. cabinet-office. gov. uk/ innovation/ 1999/ encryption/ index. html
7
h) The Government also sought views on whether it should introduce any other legislative measures to promote electronic commerce. It has decided not to do so in this
draft Bill. However, the Government looks forward to any further suggestions that may arise in response to this consultation, in the Performance and Innovation Unit's broader
e-commerce study and in the Committee's next report.
Consultation
5. We invite comments by Friday 8 October. It may not be possible to take into account responses received after this. Any comments should be sent in writing to
Stephen de Souza either by electronic mail (preferably in Word 6.0 or text format) to: X. 400 address: S= ecbill O= DTI OU1= CIID P= HMG DTI
A= Gold 400 C= GB internet address: ecbill6ciid. dti. gov. uk
or to: Communications and Information Industries Directorate
Department of Trade and Industry Room 220, 151 Buckingham Palace Road
London SW1W 9SS It would be helpful if those responding could clearly state who they are and, where
relevant, who they represent. Should you wish any part (or all) of your comments to be treated in confidence, you should make this clear in any electronic mail or papers you
send. In the absence of such an instruction, submissions will be assumed to be open, and will be copied to the Trade and Industry Committee; they may also be shared with others
or published by Ministers, or placed in the Libraries of the Houses of Parliament.
8
6. The Government accepts this in full. The previous consultation document made it clear that the Government does not intend to interfere with existing commercial
relationships. The Government recognises that many businesses, ranging from banks to manufacturers, have been successfully carrying out electronic business, usually in closed
user groups, for many years. The Government believes that the increasing use of open networks, such as the internet, is making electronic business easier, cheaper and more
accessible, bringing its benefits to wider markets, including consumers. The Government believes that the draft Bill will facilitate electronic commerce, including in existing
relationships, by clarifying the legal admissibility of electronic signatures.
Paragraph 8 The Government's proposals are tied, perhaps unduly, to the creation of a regulatory regime based on one particular technology Ð public-key cryptography Ð and
a specific market model, which, although they could be considered attractive at present, may not be optimal bases for electronic commerce carried out over the internet in the
future.
7. The Government is committed to a technology neutral Bill. The draft Bill published today is intended to promote the provision of cryptography services and
electronic commerce. Although many Trust Service Providers (TSPs) may well base their services on public key cryptography, there is no reason why other technologies (e. g.
biometrics) could not be used by approved TSPs. The Government consulted on how alternative business models should fit into the approvals regime. Although there were
few specific responses on this, the Government believes that varying business models will develop and that it is impossible to predict which are likely to succeed. The approvals
regime needs to be flexible and responsive enough to accommodate this, which is why the draft Bill leaves the detail of the statutory regime to secondary legislation.
Paragraph 25 In order to help the UK become the best environment in which to trade electronically by 2002, the Government should keep a close eye on international
electronic commerce policy developments and adopt best practice from elsewhere when appropriate.
8. Electronic commerce is inherently global and the Government takes this into account in formulating policy, and recognised this in drawing up the previous
consultation document. The international picture is complex. Our approach is based on trying to move quickly where there is reasonable international consensus, but not striking
out unilaterally against the current of global e-commerce.
9. A good example of the above is the leading role the UK has taken in both EU and OECD discussions on cryptography. On the former the DTI helped ensure a compromise
was reached which balanced the important security requirements relating to the generation of electronic signatures with the need to encourage an open and flexible
market. In the OECD the DTI is working to establish a framework which recognises the importance of global compatibility between national and regional initiatives on
authentication. The UK is one of the key players in forming the international agenda, particularly within Europe and has developed models such as for dealing with illegal
content on the internet that have been adopted around the world.
9
Paragraph 34 Notwithstanding legitimate reasons for delay, we are concerned at the time it has taken the present Government to establish and implement a cryptography
policy. It is our perception that inadequate political control has been exercised over the development and determination of cryptography policy. The policy agenda has been
allowed to drift for too long. It is imperative that Ministers take a firm grip of the issues from now on.
11. The speed of computers doubles every 18 months. Recent years have seen an explosive growth in the numbers of people connected to the internet, allowing complex
data to be exchanged almost instantaneously over thousands of miles. This phenomenon is having a significant economic impact and will impact on society itself, often in
unpredictable ways. The Government needs to take account of the interests of society as a whole: policy on electronic commerce needs to take account of broader issues, such as
privacy and law enforcement. Against this background, Governments around the world have tried to formulate policies which capture the benefits and mitigate the potential
downside. No Government has found it easy either to formulate or implement policy in this area.
12. Nevertheless, the Government has not been slow to rise to the challenge. The UK has played a leading role in the debate. The UK was the first country in Europe to
recognise the need to deal with both authentication and confidentiality issues in a single framework, because the same technology underpins both kinds of service. Policy on
cryptography and e-commerce more broadly has been driven at the highest levels politically. The Government rejects the Committee's suggestion that inadequate political
control has been exercised over the development and determination of cryptographic policy:
c The Government's cryptography policy was launched within a year of the
General Election by Mrs Barbara Roche MP in April 1998 when she announced the Government's intention to pursue a more liberal policy than
the previous administration, by rejecting the mandatory nature of the scheme which they had consulted on shortly before the General Election.
c The former Secretary of State for Trade and Industry (Peter Mandelson MP)
set the target for the UK to be the best environment worldwide in which to trade electronically by 2002 in the White Paper Ð Our Competitive Future:
Building the Knowledge Driven Economy.
c On 5 March 1999 the Secretary of State for Trade and Industry and the Home
Secretary jointly launched Building Confidence in Electronic Commerce. In parallel with the consultation, the Prime Minister personally launched a
partnership with industry to find solutions to the problems posed by encryption for law enforcement.
Paragraph 36 We believe it is essential that every measure included in the forthcoming Electronic Commerce Bill is designed to facilitate rather than restrict electronic
commerce and that this should be the criterion by which Parliament judges the Bill.
10
13. The Bill will be an essential enabling measure to spur on the growth of e-commerce in the UK. The Bill will support the Government's targets for:
c the UK to be the best environment for electronic business by 2002;
c 25% of Government services to be available electronically by 2002 (rising to
100% by 2008); and
c 90% of routine procurement of goods to be done electronically by 2001.
14. The draft Bill is designed to promote e-commerce in a number of ways:
c through clarifying the status of electronic signatures;
c by removing legal barriers so that the option of communicating electronically
can be offered instead of the use of paper; and
c by building confidence in the provision of cryptography services.
The draft Bill also contains measures designed to ensure that the effectiveness of existing law enforcement powers is not undermined by the criminal use of the very technologies
(such as encryption) which the Bill seeks to promote.
Paragraph 37 While, we accept the Government's judgement that legislation should not be delayed still further solely to allow for a standard consultation period, especially as
the issues on which DTI sought views were so familiar to likely respondents, the time constraints cited by DTI have been entirely of their own making.
15. The Government has sought to maintain a balance between allowing an adequate period for consultation, and pressing ahead with drawing up legislation. As the
Committee recognises, the issues on which the Government sought views were familiar to many respondents. The Government was impressed by both the number 5 and the
quality of the responses. Moreover Ministers and officials consulted many companies and others in drawing up the previous consultation document. This document is the next step
in an ongoing process of consultation. The DTI will continue consulting as the Bill is taken through parliament and will undertake future formal consultation as the Bill is
implemented. The Government is committed to building confidence in e-commerce, building the legal framework in partnership with industry and other interested parties.
Paragraph 40 We consider it a potentially serious omission that DTI has not indicated how its proposals for electronic signatures would affect Scottish law and we recommend
that they quickly do so.
16. The Government has always recognised that the implementation of the policy of the Bill is likely to require amendment also of basic provisions of Scots private law
relating to requirements of writing, evidence and contract formation. In that regard, it is envisaged in the draft Bill that Scottish Ministers will have the power to make any
necessary amendment of Scots law on matters of that kind, by means of subordinate legislation taken through the Scottish Parliament, subject to the consent of UK Ministers
as the power will extend to legislating on reserved matters.
5 The DTI received 252 responses in total (of which 246 were received in time to be taken account by the
consultants for their summary).
11
Paragraph 41 Although electronic signatures are not currently without legal standing, legislation to clarify their status would command widespread support.
Paragraph 44 One objection to the Government's proposals for the recognition of electronic signatures is that they are better suited to a civil law jurisdiction, than to the
English common law tradition.
Paragraph 46 A second objection to the proposal that some electronic signatures will carry a rebuttable presumption of validity is that this would reverse the burden of proof in
contractual disputes, potentially undermining confidence in electronic commerce if means of forging electronic signatures are developed.
Paragraph 51 We recommend that the Government lay before Parliament the justification for such a radical change to the way signatures are considered by English law
and explain in greater detail than hitherto whether or not the EU Electronic Signatures Directive genuinely necessitates such a change to be made.
18. The Government welcomes the Committee's support for its intentions to reduce the present uncertainty over the legal admissibility of electronic signatures. The means of
reducing this uncertainty has provoked considerable debate and the draft Bill sets out what the Government believes is a prudent approach. As the Committee recognises, the
common law treats signatures in terms of their purpose (did the signatory intend to indicate their assent to what was in the document?), rather than their form (does the
signature meet certain requirements?).
19. This means that in many, but not all, circumstances the law is flexible enough to be capable of accommodating electronic signatures. However there will be uncertainty, until
sufficient case law has built up. This could take some years. The responses to the consultation launched by the previous administration indicated considerable support for
a rebuttable presumption that an electronic signature was what it claimed to be. However, many of the respondents to the recent consultation argued against introducing
such a presumption because:
c they argued that the burden of proof would be shifted, to consumers for
example, to prove that they had not signed a document, thus reversing the position in existing law;
c the technology, and its likely use in most situations, is not sufficiently
developed to be able to set the necessary standards;
c moreover, even if the technology were robust, it is hard to control how
people use it (e. g. although a properly implemented electronic signature cannot be forged, a smart card can easily be lost or not properly protected);
c the flexibility of common law, which makes English Law the jurisdiction of
choice for many international transactions, might be compromised by such a measure.
12
Paragraph 58 The outdated definitions of words such as "writing" and "signature" in law are potentially significant barriers to the development of electronic commerce in this
country. DTI seems not to appreciate the need for swift legislative action in this area and would appear to have made limited progress since 1997. We favour the Government
taking powers in the forthcoming Electronic Commerce Bill for secondary legislation to update definitions of words in law to take account of new information and
communication technologies and drawing on the approach of the Australian draft Electronic Transactions Bill 1999. We recommend that the Government quickly publish
an analysis of legal changes required, both in relation to English and Scots law and identify those transactions and official proceedings which it believes should not be
allowed to be conducted electronically.
21. The Government welcomes the Committee's support for its view that certain requirements of form (e. g. for information to be in writing or signed) in legislation drawn
up before the advent of electronic commerce are potentially significant barriers to its development. The Bill will be the first available legislative opportunity to address this
broadly, though the Finance Bill addresses matters concerning the Inland Revenue and HM Customs and Excise. The draft Electronic Communications Bill includes a power in
Clause 8 to enable Ministers to draw up secondary legislation to permit such requirements to be met electronically. For example, the DTI plans to use powers under
the Bill to amend the Companies Act 1985 to enable companies to communicate with shareholders electronically.
22. There may be a few examples where it is not appropriate to take such a step, at least in the near future. The publication of an analysis of the references in legislation to "in
writing" or "signed" is not compatible with the timetable for bringing the Bill before Parliament. The Society for Computers and Law has estimated that here may be as many
as 40,000 references to "writing" and "signature" alone.
Paragraph 64 We acknowledge the need for some form of accreditation scheme relating to TSPs to persuade firms and individuals "standing on the edge of the e-commerce
lake wondering whether it is really safe to dive in" that electronic commerce is as safe and reliable as traditional forms of commerce.
Paragraph 65 We recommend that the Government sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and service providers but which is
not grounded in legislation. We think it prudent that the Government take powers to establish a statutory-backed scheme but recommend that these powers are held in
reserve unused unless and until it is demonstrated that a voluntary scheme fails to protect the interests of all consumers and service providers.
23. The Government welcomes the Committee's support for the principle of a voluntary approvals scheme. The previous consultation document set out the intention to
introduce a statutory, but voluntary, licensing scheme for Trust Service Providers. Given the Government's decisions not to offer statutory privileges as an incentive for the
13
24. Many respondents to the recent consultation argued for a "light touch" in any legislation or regulation. One noticeable shift in opinion from the consultation launched
by the previous administration was that voluntary statutory licensing was questioned. There were many calls for the market and the technology to be allowed to evolve, and
some for the industry to be allowed to develop self-regulatory or guidance mechanisms.
25. The choice between a statutory voluntary regime, or a suitable self-regulatory regime, is finely balanced. The Government is in close dialogue with the Alliance for
Electronic Business in relation to its work in developing a non-statutory, self-regulatory scheme. The Government therefore proposes, in Part I of the draft Bill, to take powers to
set up a statutory voluntary scheme by secondary legislation. After Royal Assent, the Government will need to decide whether to bring such a statutory scheme into being, or
to follow the recommendation of the Trade and Industry Committee and hold the powers in reserve, relying on self regulation. Our assessment will take account of the robustness,
industry acceptance and quality of the self-regulatory scheme which by then should have emerged from industry and make a judgement about how its merits would compare with
those of a statutory scheme. We will consult on that decision.
Paragraph 66 We see no reason why existing means of distinguishing licensed or accredited services from unlicensed or non-accredited services cannot be applied
successfully to TSPs.
26. The Government agrees with the Committee. The essential points are that approval should apply to a particular service, or range of services, rather than the
provider and that there should be a clear distinction between approved and unapproved services. It is likely that service providers would be allowed to use a logo (or some other
mark of recognition) in connection with those Cryptography services for which they had been approved.
Paragraph 67 There is a danger that TSPs and their customers will be confused by the multi-layered design of the proposed statutory licensing regime. We would welcome
early clarification by DTI and OFTEL of how the proposed licensing regime will work in practice, were it to be introduced.
Paragraph 70 We recommend that, if DTI intends to establish a statutory licensing scheme, it spell out which licensing functions it would be prepared to delegate to an
industry body in future and which it would prefer a public sector body to perform; and that it set out the criteria an industry body must meet in order for it to be considered as
the licensing authority for TSPs.
27. The Government does not believe that it is sensible, given the pace at which this market is developing and its present immaturity, to spell out now the exact division of
functions between a statutory body and industry. The Government believes that the objectives of the scheme as a whole are far more important than the exact division of
responsibilities.
14
influence the development of such standards, in line with its objectives for promoting electronic commerce, Modernising Government and law enforcement.
5. The scheme needs effective mechanisms for ensuring compliance with these standards, including for example:
a) assessment of service providers, perhaps linked to a "kitemark";
b) sanctions and the ability to monitor and take enforcement action against members that breach the "code of practice";
c) a means of redress for consumers if consumers are unhappy with the response from the service provider;
d) publicity, i. e. making available the code of practice, a register of members and, perhaps, annual reports aimed at consumers.
6. The scheme should take account of the draft EU Electronic Signatures Directive (including provisions on liability and data protection). In particular it should provide UK providers with
a means of showing that their signature service meets the standards envisaged in the draft Directive, to facilitate trade with other EU countries. There could be scope for different levels
of service, so it might not be necessary for all signatures to meet the Directive standards.
Paragraph 73 A comparison of the 1997 and 1999 DTI consultation documents would suggest that little effort has been devoted over the last two years to considering the
detailed licensing criteria to be applied to TSPs, or the effect of such criteria on the market. The licensing criteria for TSPs recently set out by DTI are not fit to be written
into law. Unless they are improved, then the licensing system will be a damaging and embarrassing failure. We invite the Government to inform Parliament how it intends to
work with electronic commerce providers and users to design more suitable criteria.
29. We do not accept this criticism. The previous consultation document made it clear that these were draft criteria and that potential licence applicants would be consulted
about refining them. Nevertheless, the draft criteria reflected discussions with industry and were largely consistent with those laid down in the Annexes to the draft Electronic
Signatures Directive. Respondents to the previous consultation Document (comments were specifically requested) did not seem to share the Committee's view and certainly did
not suggest they were unfit to be written into law. Indeed, although many respondents argued that what was proposed was more suitable for an industry-led accreditation
scheme, there seemed to be a general appreciation that the draft criteria were a sensible basis for a scheme.
30. The DTI will continue to work with industry in developing a set of criteria designed to generate public confidence that cryptography services from a TSP approved under the
UK regime are high-quality and reliable. The DTI will also work with industry in representing UK interests in refining the criteria outlined in the draft EU Electronic
Signatures Directive, which will form the basis of mutual recognition of electronic signatures in the EU.
15
31. In the consultation document Building Confidence in Electronic Commerce, the Government recognised the complex issues involved in apportioning the liability of Trust
Service Providers, and the need to balance the interests of the various parties who may be involved, either directly and indirectly, in a particular transaction. In the light of
responses to the previous consultation the Government has decided not to introduce a statutory liability regime, and rely on the contract between the TSP and their client, and
existing law. We will expect TSPs to make clear to their customers the extent of their liability.
Paragraph 80 We are persuaded that encryption will increasingly be a source of advantage to criminals with which law enforcement agencies are, at present, inadequately
prepared to deal.
32. The Committee has highlighted concerns that the Government has had for some time. The Government is determined to ensure that the statutory powers on which the
law enforcement agencies rely in combating crime are not undermined by new technologies. That is why, as part of a package of measures being proposed in an attempt
to mitigate the consequences of rising criminal use of encryption, the Government proposes to use Part III of the Bill to introduce powers allowing properly authorised
persons (such as members of law enforcement agencies) to serve written notices requiring any person to provide the means necessary (e. g. a decryption key) to make
legally obtained material intelligible or to produce the material in an intelligible form.
Paragraph 81 We suggest that those organisations involved in electronic commerce will be much more willing to help the law enforcement agencies if there are reliable means to
assess the extent of the problems posed by encryption, and that there would be advantage in Parliament having a fuller picture of the perceived threat.
33. The Government has been working closely with industry on this issue. The PIU Report on Encryption and Law Enforcement recommended that an approach based on
openness and co-operation with industry would balance the aim of giving the UK the world's best environment for e-commerce with the needs of law enforcement.
34. The Government has accepted this recommendation and is in the process of establishing a new Government/ industry joint forum, to be chaired by the DTI. The joint
forum will discuss the development of encryption technologies and ensure that the needs of law enforcement agencies are understood by the industry.
Paragraph 90 By dropping key escrow as a licensing condition for TSPs, the DTI's third attempt to formulate an acceptable cryptography policy is a marked improvement on its
predecessors. We are disappointed, however, that the Government should still hold a candle for key escrow and key recovery. We can foresee no benefits arising from
Government promotion of key escrow or key recovery technologies.
Paragraph 107 If the Government consider it necessary in future to introduce key escrow, key recovery or a related requirement on TSPs then we recommend that they do
so only after stating precisely the reasons why such a change would be necessary as part of a full public consultation exercise. Powers should not be taken in the forthcoming Bill to
permit the introduction of key escrow or related requirements at a later date.
16
The Government therefore accepted the recommendation that a mandatory link between approved providers of services and key escrow would not support the
Government's twin objectives on e-commerce and law enforcement.
Paragraph 98 We think that the proposed new power to require decrypted data or private encryption keys to be provided when appropriately authorised will be a useful
addition to the armoury of the law enforcement agencies. We recommend that the Government quickly clarify the situations in which it thinks this power will be likely to
prove most helpful. In particular, Parliament should be given an indication of the criteria which will be used to decide against whom written notices for the provision of
information will be served and whether it is proposed that the request should be for a private key or decrypted data.
37. The Government welcomes the Committee's support for this measure. Strong encryption is already being used by criminals to conceal their activities. This is creating
difficulties for law enforcement agencies and these will increase as the use of encryption becomes more widespread. The Government foresees that strong encryption will
become the technology of choice for criminals wishing to protect the contents of their communications and data. The new powers proposed in Part III of the draft Bill will assist
law enforcement agencies in their investigations wherever criminals are using encryption in an attempt to conceal their activities.
38. The draft Bill sets out the conditions under which the service of written notices requiring the surrender of decryption keys or plain text may be authorised and who may
authorise the use of the new powers. The ability to serve a written notice will be ancillary to existing statutory powers. This means that the new powers will apply only to material
that is, or has been, lawfully obtained. The draft Bill provides that the disclosure of plain text rather than a key may be acceptable in all cases unless the written notice specifies
that only the disclosure of a key itself is sufficient.
Paragraph 101 It is entirely unacceptable that the Government should announce a major review of the Interception of Communications Act 1985 and then fail to publish
any further details of the review for over eight months, especially when the consultation exercise on building confidence in electronic commerce explicitly refers to the Act and
the review. We recommend that the Government set out the options for change to the interceptions regime, and how they relate to the forthcoming Electronic Commerce Bill,
before the Bill is debated by Parliament.
39. The Home Secretary published a consultation document 6 (Cm 4368) on the review of the Interception of Communications Act 1985 (IOCA) on 22 June. This review relates
to the draft Electronic Communications Bill to the extent that the powers proposed in Part III of the draft Bill are designed to maintain the effectiveness of existing statutory
powers including IOCA. These powers, to require the disclosure of decryption keys or plain text, will be available when encryption is encountered in interception operations
authorised by the Secretary of State under IOCA. Without pre-empting the wider conclusions of the IOCA review, there is a need to address the threat posed by encryption
and to protect the effectiveness of the existing interception regime.
6 It is available at www. homeoffice. gov. uk and from the Stationery Office. Responses are requested by 13
August and may be sent by email to ioca@ homeoffice. gsi. gov. uk
17
42. The Government submitted an Explanatory Memorandum to Parliament on the draft Resolution on 8 February 1999 (10951/ 2/ 98 ENFOPOL 98 Rev 2). In fact, the
Government sees little need for the draft resolution at the present time. The Government's consultation document on the review of IOCA published on 22 June,
includes consideration of the needs of law enforcement agencies in respect of providers of new communication technologies such as the internet and satellite telephony. The
proposal for a draft Resolution will not prejudice this consultation process.
Paragraph 105 If, after three years of considering its policy on cryptography, the Government should announce the need for a partnership with industry, then that would
suggest failure in the past to create such a partnership. We consider that the fault for failing to create such a partnership lies not with industry, which would appear to have
been ready and willing to help, but with Government. Although DTI has been willing to listen to what industry and others have had to say about cryptography, we have gained the
impression that they have not, until recently, taken much notice of what has been said to them. From now on, we expect the Government to work with all interested parties to
devise a cryptography policy which is best for the UK as a whole, rather than one which is geared towards satisfying law enforcement concerns at the expense of Britain's economic
competitiveness.
43. On the contrary, the Government has worked with industry (users, technology providers and potential TSPs) in developing its policy on encryption. Over the last five
years the DTI has hosted regular meetings of its Cryptography Working Group. The DTI has also regularly participated in the information security working groups of the CBI, the
Federation of the Electronics Industry (FEI) and the British Computer Society (BCS). The Government recognises the importance of balancing the needs of all concerned Ð
industry, users, law enforcement agencies and the general public Ð in this sensitive area.
44. In his foreword to the PIU Encryption report, the Prime Minister said:
"I am determined to ensure that the UK provides the best environment in the world for electronic business. Only by taking a lead to promote electronic business will we reap the potential economic
and social benefits. But I am equally determined to ensure that the UK remains a safe and free country in which to live and work.
The rise of encryption technologies threatens to bring the achievement of these two objectives into conflict. On the one hand, business has delivered a clear message that encryption is essential for
developing confidence in the security of electronic transactions. And lack of confidence is often cited as one of the main brakes on electronic commerce. People also want to enhance the security of their
personal communications through the use of encryption. To meet these needs, the Government is keen to support the strong and growing market in encryption products and services.
18
45. The Government will continue to engage with industry on a dialogue on these important issues; through the Industry-government forum proposed by the PIU and
through other fora.
Paragraph 106 We recommend that the Government keep Parliament informed of the remit and membership of the Cabinet Office task force dealing with law enforcement
aspects of electronic commerce and of any body established in its place.
46. The Performance and Innovation Unit (PIU) was created in 1998, to improve the capacity of government to address strategic, cross-cutting issues and promote innovation
in the development of policy and delivery of the Government's objectives. It acts as a resource for the whole of government, tackling issues on a project basis.
47. In February 1999 the Prime Minister asked the PIU to consider the issue of encryption and law enforcement, as a subset of its ongoing project on electronic
commerce. The remit given to the PIU was:
c to study the needs of law enforcement agencies and of business;
c to examine the merits of the current encryption policy (and in particular key
escrow); and, if necessary,
c to identify proposals that would satisfy both the need to promote encryption
for electronic commerce and the Government's duty to ensure that public safety is not jeopardised.
48. To handle this remit, a joint Government/ industry task force led by David Hendon (Chief Executive of the Radiocommunications Agency), working alongside the existing
PIU electronic commerce project team led by Jim Norton, was established to examine the issue and to recommend a way forward to the Prime Minister. The task force's
membership was drawn from:
the Home Office; the National Criminal Intelligence Service (NCIS);
GCHQ Communications-Electronics Security Group; the Department of Trade and Industry;
the Cabinet Office; British Telecommunications; and
IBM.
Its main findings and recommendations were published on 26 May. The task force was wound up after it had completed its work. The coordination of the further work will be
taken forward by a special Unit set up in the Home Office.
Paragraph 108 We suggest that the experience of the relationship between ISPs and the law enforcement agencies underlines the need for openness and transparency in the new
partnership between industry and Government on law enforcement aspects of encryption, so as to avoid confidence in electronic commerce being undermined.
19
50. The UK has been very successful in developing an effective working relationship between Internet Service Providers (ISPs) and law enforcement interests. The regular
forum, currently chaired by the Association of Chief Police Officers, which includes a wide range of industry and law enforcement interests, together with representatives of
the DTI and Home Office, has played a central role in developing and maintaining this relationship.
51. The forum has already produced a form for use by Police forces in requesting information from ISPs under section 28.3 of the Data Protection Act, which is now in the
public domain. In addition, a best practice document on traceability will shortly be published, once it has been agreed and ratified by the ISP industry. The aim is for this
document to become the industry standard for tracing those responsible for the misuse of the internet. The forum is also working on a number of other projects and is actively
considering what more can be done to make the results of its work widely available in order to meet concerns about the transparency of its discussions.
Paragraph 110 We see merit in NCIS being notified whenever a local law enforcement agency encounters encryption during the course of a criminal investigation.
52. The Government understands that NCIS (the National Criminal Intelligence Service) sees merit in the establishment of such a national notification scheme and that, at
least initially, notifications should be sent to NCIS as part of a strategic threat assessment of criminal use of encryption. Work is in hand to address this issue further.
Paragraph 110 We also recommend that the Government consider the establishment of a law enforcement resource unit for dealing with computer crime, including encryption.
53. In line with the Committee's recommendation, and as recommended in the recently published PIU report, the Government has decided to establish a dedicated
resource (a new Technical Assistance Centre), operating on a 24 hour basis, to help law enforcement agencies derive intelligence from lawfully intercepted communications and
lawfully retrieved stored data. It is envisaged that the Technical Assistance Centre will also be responsible for gaining access to decryption keys, where they exist, under proper
authorisation.
54. Separately, the issue of whether to establish a national high technology crime unit is currently being considered by the Association of Chief Police Officers (ACPO) Crime
Committee.
Paragraph 112 We recommend that the Government consider the case for a review of the rationale for the continuation of export controls on cryptographic products, in the
light of their widespread availability, and the procedures by which such controls are implemented.
20
Paragraph 113 Although the forthcoming Electronic Commerce Bill is not likely to be a source of party political controversy it is a vital measure for UK competitiveness and law
enforcement. It requires full and rigorous parliamentary scrutiny.
57. The Government is now consulting on the draft Bill. The Government expects that, when introduced, the Bill, like any other, will be fully scrutinised by Parliament.
Paragraph 114 We recommend that DTI publish a full analysis of responses received to its recent consultation document, including a list of those who responded to the
document, at the same time as the Electronic Commerce Bill is published.
58. The DTI published today a summary, by independent consultants, of the responses to the consultation. The summary, and a list of respondents, is available on the DTI's
website (www. dti. gov. uk/ cii/ conrep. htm).
Paragraph 115 We recommend that draft regulations arising from the Electronic Commerce Bill be given full public scrutiny before they become law.
59. The Government believes that the draft Bill has already benefited from previous consultation on the underlying policy, and looks forward to the responses to this
consultation. In general, the secondary legislation made under the Bill is also likely to benefit from formal public consultation. The Committee's recommendation was made in
the context of the approvals criteria and the regulations to facilitate electronic communications and storage.
60. The Government is committed to developing the approvals criteria in consultation with potential applicants for approval, and users of their services, and will consult
formally on all such regulations.
61. The Government also plans to consult widely on draft regulations relating to the facilitation of electronic communications and storage (Clause 8). However, once general
principles have been established and agreed on in the first series of regulations it may no longer be necessary to do this in every case, unless new points arise. The Government
will, therefore, keep consultation on such regulations under review.
21
INTRODUCTION
1. These explanatory notes relate to the draft Electronic Communications Bill which was published by the Government on 23 July 1999. They have been prepared by the
Department of Trade and Industry and the Home Office in order to assist the reader of the draft Bill and to help inform debate on it.
2. The notes need to be read in conjunction with the draft Bill. They are not, and are not meant to be, a comprehensive description of the Bill. So where a clause or part of a
clause does not seem to require any explanation or comment, none is given.
BACKGROUND
3. The Government's policy is to facilitate electronic commerce. It has also set itself targets for making Government services available electronically: 25% by 2002, 50% by
2005 and 100% by 2008. The Government has also set a target for 90% of its routine Government procurement of goods to be done electronically by 2001.
4. The Government's general policy towards electronic communications and information technology is set out in:
c the Competitiveness White Paper (Cm 4176) published in December 1998
(available on the DTI website: www. dti. gov. uk/ com/ competitive);
c the Modernising Government White Paper (Cm 4310) published in March
1999 (available on the Cabinet Office website: www. cabinet-office. gov. uk/ moderngov/ 1999/ whitepaper/ index. htm); and
c the Government's policy statement "Our Information Age: The
Government's Vision" (URN 98/ 677; 4-98) (a summary can be found on the Number 10 website: www. number-10. gov. uk/ public/ info/ index. html).
5. Cryptography and electronic signatures are important elements for electronic transactions.
c Cryptography is the science of codes and cyphers. Cryptography has long
been applied by banks and is an essential tool for electronic commerce. Cryptography can be used as the basis of an electronic signature, or to keep
electronic data confidential; while another is to ensure that the integrity of such information is preserved.
c Encryption is the process of turning normal text into a series of letters and/ or
numbers which can only be deciphered by someone who has the correct password or key. Encryption is used to prevent others reading confidential,
private or commercial data (for example an e-mail sent over the internet or a file stored on floppy disk). 23
to come from (" authenticity"). Another important use of electronic signatures is establishing that the communication has not been tampered
with (" integrity").
6. Various organisations provide cryptography services, including certifying the public key of an individual used in the generation of electronic signatures. There is a need
for the public to be able to have confidence that these services are secure and not open to fraud; and for people to be free from unnecessary restrictions in their use of new
technology. On the other hand, there is the problem that encryption can be used for criminal purposes and to frustrate the work of law enforcement and security services.
THE BILL
7. The main purpose of the Bill is to help build confidence in electronic commerce and the technology underlying it by providing for:
c a statutory approvals scheme for businesses and other organisations
providing cryptography services, such as electronic signature services and confidentiality services.
c the legal recognition of electronic signatures, and
c the removal of obstacles in other legislation to the use of electronic
communication and storage in place of paper.
8. The Bill also contains provisions to maintain the effectiveness of existing law enforcement powers in the face of increasing criminal use of encryption, and to update
procedures for modifying telecommunications licences.
9. The Bill is in four parts.
c Part I, Cryptography Service Providers. This concerns the arrangements for
registering providers of cryptography support services, such as electronic signature services and confidentiality services.
c Part II, Facilitation of Electronic Commerce, Data Storage etc. This makes
provision for the legal recognition of electronic signatures. It will also facilitate the use of electronic communications or electronic storage of
information, as an alternative to traditional means of communication or storage.
c Part III, Investigation of Protected Electronic Data. This provides new
powers to assist (for example) law enforcement agencies in making intelligible lawfully obtained stored or intercepted data which has been
encrypted. This Part also creates two new offences and establishes oversight procedures and safeguards in relation to the new powers.
c Part IV, Miscellaneous and Supplemental. This Part amends section 12 of the
Telecommunications Act 1984 and inserts new sections (12A and 12B) into that Act. The proposed new provisions are concerned with the modification
24
information.
c Schedule 2, The Tribunal. This concerns the constitution and procedure of,
and appointments to, the Tribunal to be established under Clause 18 to hear complaints about written notices served as a result of authorisations granted
by the Secretary of State.
Consultation
Parts I to III
11. The first consultation on most of the matters covered by Parts I to III was undertaken by the previous administration in March 1997.
12. The Government announced its response to that consultation, and its policy on the provision of cryptography services, in a parliamentary statement by Mrs Barbara Roche,
then Parliamentary Under Secretary of State at the Department of Trade and Industry, on 27 April 1998 (Hansard, HoC, column 27; available on the Parliament website at
www. parliament. uk/ commons. htm).
13. A broader consultation Ð "Building Confidence in Electronic Commerce: A Consultation Document" (URN 99/ 642) (available on the DTI website at
www. dti. gov. uk/ cii/ elec/ elec ± com. html) Ð was launched on 5 March 1999. A summary of the responses to this consultation (URN 99/ 891) is available on the DTI website at
www. dti. gov. uk/ cii/ elec/ conrep. html.
14. The Trade and Industry Select Committee of the House of Commons published a report on the matters covered by the consultation document on 18 May 1999 (" Building
Confidence in Electronic Commerce: The Government's Proposals", HC 187; available on the Parliament website at www. parliament. uk/ commons/ selcom/ t& ihome. htm). This
document also contains the Government's Response to the Select Committee's report. This Response also sets out the Government's decisions on the issues covered by the
Consultation Document.
Part IV
15. There have been two formal consultations on the revised licence modification procedure provided for in Part IV of the Bill. The first, "Licence Modification Procedure:
Proposed Changes to the Telecommunications Act 1984" (URN 98/ 1049), was issued in May 1998; the second, "Licence Modification Procedure: Updated Proposals for
Changes to the Telecommunications Act 1984" (URN 99/ 945), in March 1999 (available on the DTI website at www. dti. gov. uk/ telecom/ teleprop. htm.)
16. Responses to all these consultation exercises have contributed to the measures set out in the Bill. 25
Electronic Commerce (available on the UN website at: www. un. or. at/ uncitral/ english/ texts/ electcom/ ml-ec. htm).
18. The broad aim of the Bill, facilitating electronic commerce, is similar to that of the draft EU Directive on Certain Legal Aspects of Electronic Commerce in the Internal
Market, which seeks to remove barriers to the development of electronic commerce in the internal market, but there is no overlap in the detailed provisions. The main areas
addressed in the proposed directive are simplifying and clarifying rules of establishment, ensuring consistency in approaches to commercial communications such as definitions of
advertising, ensuring legal validity of electronic contracts and clarifying the liability issues of intermediaries.
COMMENTARY ON CLAUSES
Clause 1: Register of approved providers
This clause places a duty on the Secretary of State to establish and maintain a register of approved providers of cryptography support services, and specifies what information is
to be contained in the register. The clause also requires the Secretary of State to make arrangements for the public to have access to the register and for any changes to the
information in the register to be publicised. * cryptography support services
are defined in Clause 6.
The main purpose of the register is to ensure that providers on the register have been independently assessed against particular standards of quality, in order to encourage the
use of their services, and hence the development of electronic commerce and electronic communication with Government.
Where two people are communicating electronically, it may be necessary for one person to rely on the services provided to the other: for example, where the first person receives a
communication which purports to have been signed electronically by the other. *
a definition of electronic signature for these purposes is given in Clause 7( 2).
The register is voluntary: no provider is obliged to apply for approval and a provider who is not on the register is at liberty to provide cryptography services.
Clause 2: Arrangements for the grant of approvals
This Clause places a duty on the Secretary of State to ensure that there are arrangements in force for granting approval, handling complaints and disputes and modifying or
withdrawing approval.
Subsection (1) places a duty on the Secretary of State to ensure that there are arrangements for granting approvals for any person providing, or proposing to provide,
cryptography support services in the United Kingdom, and applying to be approved. *
The provision of cryptography support services in the United Kingdom is described in Clause 6.
Subsection (2) sets out what the arrangements for approvals are to achieve.
Subsection (4) allows for regulations made by virtue of subsection (3)( a) or (b) to frame the requirement for compliance with these requirements by reference to the opinion of a
person specified, either in the regulations or chosen in a manner set out in the regulations. 26
approval would depend on the applicant meeting the conditions specified in the relevant regulations.
Clause 3: Delegation of approval functions
This Clause enables the Secretary of State to delegate the approvals functions set out in Clauses 1 and 2 to any person.
Clause 4: Restrictions on disclosure of information
This Clause protects certain information obtained under Part I, sets out the purposes for which it may be disclosed, and makes improper disclosure a criminal offence. In
particular, it safeguards individual privacy and commercially confidential information, except where disclosure is desirable.
There is no restriction on who may make the disclosure or to whom it may be made, provided that the purpose is proper.
Clause 5: Regulations of Part I
This Clause makes further provision relating to the regulations the Secretary of State may make under Part I and contains standard provisions commonly accorded to powers to
make subordinate legislation, such as an ability to make supplementary provision.
* prescribed is defined in this Part as meaning prescribed by regulations, or determined in such a manner as may be provided for in such regulations.
Clause 6: Provision of cryptography support services
This Clause provides for the interpretation of various terms used in Part I of the Bill.
* The cryptography support services that may be approved under the arrangements described above are defined to include those relating to:
c confidentiality, i. e. keeping electronic data secret;
c the authenticity or integrity (both defined in Clause 23) of electronic data, i. e. relating
to an electronic signature.
Subsection (2) makes it clear that the approval scheme for cryptography support services includes only those services that primarily involve a continuing relationship between the
supplier of the service and the customer. The scheme is not intended to cover the purchase of an item (whether software or hardware) unless such purchase is only
intended to be incidental to the provision of the cryptography support service.
Subsection (3) sets out what is meant by cryptography support services being provided in the United Kingdom.
Cryptography support services, falling within the scope of this Clause, would include registration and certification in relation to certificates, time-stamping of certificates or
documents, key generation and management, key-storage and providing directories of certificates.
Clause 7: Electronic signatures and related certificates
This Clause provides for the admissibility of electronic signatures and related certificates in legal proceedings.
27
communications to be regulated where it is already allowed. The power can be used selectively to offer the electronic alternative to those who want it.
There is a large number of provisions in statutes on many different topics which require the use of paper or might be interpreted to require this. Many of these cases involve
communication with Government Departments by businesses or individuals Ð including submitting information or applying for licences or permits. Other cases concern
communications between businesses and individuals, where there is a statutory requirement that the communication should be on paper. The power can be used in any
of these cases.
Some examples of the way in which the power could be used relate to the Companies Act 1985. On 5 March 1999 the DTI consulted about whether the Act should be changed to
enable companies to use electronic means to deliver company communications, to receive shareholder proxy and voting instructions and to incorporate. The consultation
letter "Electronic Communication: Change To The Companies Act 1985" is available from DTI's Company Law and Investigations Directorate, telephone 0171 215 0409. The
proposals attracted strong support from respondents.
There are, by contrast, many communications where paper is not currently required Ð for example the vast majority of contracts fall into this category. People will remain free
to undertake transactions of this kind using whatever form of communication they wish.
Subsection (1) gives the appropriate Minister the power to modify, by order made by statutory instrument, the provisions of any legislation for which he is responsible. He may
authorise or facilitate the use of electronic communications or electronic storage (instead of other methods of communication or storage) for any purpose mentioned in subsection
(2). This power is limited by subsection (3) which places a duty on the Minister not to make such an order unless he is satisfied that it will be possible to produce a record of
anything that is done by virtue of the authorisation. It is also limited by subsection (6) so that a person cannot be required to abandon paper unless he has previously chosen to do
so.
* The appropriate Minister is defined in Clause 9 (1).
Subsection (2) describes the purposes for which modification by an order may be made.
Subsection (4) specifies the types of requirement about electronic communications or the use of electronic storage that may be provided for in an order under this Clause.
28
Subsection (7) provides that this Clause does not apply to matters under the care and management of the Commissioners of Inland Revenue or the Commissioners of Customs
and Excise. Such matters are already covered in Part VIII of the current Finance Bill.
Clause 9: Supplemental provision about Clause 8 orders
This Clause sets out supplementary provisions relating to orders made under Clause 8 and contains standard provisions commonly accorded to powers to make subordinate
legislation, such as an ability to make supplementary provision.
Subsections (3) and (4) provide that the regulations made under Clause 8 will be subject to a choice of either affirmative or negative resolution procedure in both Houses of
Parliament. The Government intends to use affirmative resolution at least for the first order, so that the general principles can be debated.
Clause 10: Power to require disclosure of key
This Clause sets out the conditions under which notices can be served requiring disclosure of a key necessary to make lawfully obtained protected information
intelligible.
* key is defined in Clause 19( 1), and
* intelligible is defined in Clause 23( 3).
This Clause introduces a power to enable properly authorised persons (such as members of the law enforcement, security and intelligence agencies) to serve written notices on
individuals or bodies requiring the surrender of information (such as a decryption key) to enable them to understand (essentially make intelligible) protected material which they
legally hold or are likely to. By way of illustration, this could include material:
c seized under a judicial warrant (e. g. under the Police and Criminal Evidence
Act 1984 (PACE));
c intercepted under a warrant personally authorised by the Secretary of State
under the Interception of Communications Act 1985;
c lawfully obtained by an agency under their statutory powers but not under a
warrant (e. g. section 18 of PACE Ð on entry and search after arrest); or
c which has lawfully come into the possession of an agency but not by use of
statutory powers (e. g. material which has been voluntarily handed over).
The service of a written notice will need to be authorised by, for example, the Secretary of State, a judge, or a senior police officer, depending on the powers under which the
protected material was or is likely to be obtained.
Subsection (1) limits the information to which this power to serve notices applies. It does so by defining the various means by which the information in question has been or is
likely to be lawfully acquired.
29
Subsection (3) explains the way in which the notice must be given and what it must state.
Subsection (4) specifies the persons to whom the key may be disclosed.
Subsection (5) ensures that a key which has been solely used for the purpose of generating electronic signatures does not have to be disclosed in response to a notice.
* for the purposes of this Part electronic signature is defined in Clause 19( 1)
* for the purposes of this Part a key is defined in Clause 19( 1).
Subsection (7) safeguards existing powers to demand lawful access to protected information. For example, it ensures that this Bill will have no bearing on the use of
powers under the Criminal Justice Act 1987.
Section 2 of the Criminal Justice Act 1987 empowers the Director of the Serious Fraud Office to require a person to answer questions, furnish information or produce any specified documents which are relevant to an
investigation.
Clause 11: Disclosure of information in place of key
This Clause provides that a person required by a written notice to disclose a key may instead provide the data in an intelligible form, unless the person who gave the
authorisation to require the disclosure, or a person entitled to give such authorisation, has specified that only the disclosure of the key itself is sufficient.
This Clause would, for example, allow a company Ð that might have received an encrypted message from the target of a particular enquiry (e. g. a criminal) Ð to offer up a
intelligible copy of the message (e. g. a printed document) rather than any decryption key.
Clause 12: Failure to comply with a notice
This Clause makes it an offence to fail to comply with a notice given under Clause 10. It allows a defence to a person who shows that he did not have the key to the information
(or, where appropriate, the information itself) but gave as much information as he had about how the key could be obtained; or that he did what was required of him as soon as
was reasonably practicable.
Clause 13: Tipping-off
This Clause creates a new offence where the recipient of a notice, or a person that becomes aware of it, tips off another that a notice has been served or reveals its contents.
This Clause is to preserve, where necessary, the covert nature of an investigation by, for example, a law enforcement agency. Among the various defences outlined is one where
the software used by the recipient of a notice (for example an IT administrator in a company) causes the owner( s) of keys to be alerted when a key is accessed.
Subsection (1) limits this offence to occasions where the notice served explicitly demands secrecy.
Subsection (3) to (5), and (7) and (8), provide various defences against a charge of tipping off.
30
Subsection (2) specifies the maximum sentence for tipping-off a third party about the serving of a notice. As regards financial penalties there is no upper limit.
Subsection (3) excludes the offences under Clauses 11 and 12 of this Bill from the provisions of section 9 of the Interception of Communications Act 1985.
Section 9( 1) of the Interception of Communications Act 1985 provides that in any proceedings before any court or tribunal no evidence shall be adduced and no question in cross-examination shall be asked which
tends to suggest that an offence under section 1 of that Act (which prohibits interception except in certain circumstances) has been or is to be committed by any person holding office under the Crown, or anyone
engaged in the business of the Post Office or in the running of a public telecommunication system; or which tends to suggest that an interception warrant has been or is to be issued to any of those persons.
Clause 15: General duties of specified authorities
This Clause describes the safeguards that must be in place for the protection of any material handed over in response to the serving of a notice under this Bill.
Subsection (1) ensures that the safeguard requirements apply to all those who may have responsibility for organisations that will handle material provided in response to a notice.
In the case of the security and intelligence agencies for example, this will mean the Secretary of State.
Subsections (2) and (3) place an onus on those identified to ensure that:
c any material disclosed is used only for the purpose for which it was required;
c the uses to which the material is put are reasonable and proportionate;
c the material is destroyed as soon as it is no longer needed; and
c the material is shared with the minimum number of people.
Clause 16: Code of practice
This Clause requires the Secretary of State to issue a Code of practice covering the exercise of the powers to authorise the issuing of disclosure notices under Part III of the
Bill. It provides that:
c the Secretary of State will first publish a draft of the Code;
c the Code will be brought into force by order under statutory instrument;
c the statutory instrument will be subject to affirmative resolution in both
Houses; and
c the Code may be revised from time to time by means of the same steps as it
was originally brought into force.
Clause 17: The Commissioner
This Clause provides for the appointment of a Commissioner to oversee the use of the powers of the Secretary of State to authorise the issuing of disclosure notices under Part
III of the Bill. 31
The powers granted to other bodies under this Bill can be reviewed by the courts.
"High Judicial Office" is defined in section 25 of the Appellate Jurisdiction Act 1876 as follows:
"High Judicial Office' means any of the following offices; that is to say
The office of Lord Chancellor of Great Britain... or of Judge of one of Her Majesty's superior courts of Great Britain and Ireland:
'Superior courts of Great Britain and Ireland' means and includes
As to England, Her Majesty's High Court of Justice and Her Majesty's Court of Appeal; and
As to Northern Ireland, Her Majesty's High Court of Justice in Northern Ireland and Her Majesty's Court of Appeal in Northern Ireland; and
As to Scotland, the Court of Session."
The Appellate Jurisdiction Act of 1887 amended the term 'High Judicial Office' in section 5 to include the office of a Lord of Appeal in Ordinary and the office of a member of the Judicial Committee of the
Privy Council.
Clause 18: The Tribunal
This Clause establishes a Tribunal to hear complaints in certain cases and award compensation.
Subsection (1) outlines the instances where the Tribunal will hear complaints. The first case is where permission of the Secretary of State is required for the issuing of a notice
under Clause 10. This applies to cases arising from warrants signed under:
c Interception of Communications Act 1985; or
c Intelligence Services Act 1994.
The second case is where a person is restricted from relying in any proceedings before a court or tribunal on anything done under this Part of the Bill or on any contravention of
this Part by virtue of section 9 of the Interception of Communications Act 1985. For example, this could occur where legal proceedings were being taken against a service
provider who had been the recipient of a Clause 10 notice in relation to intercepted material.
Subsection (5) states that section 9 of the Interception of Communications Act 1985 is not to apply to hearings before the Tribunal.
Subsection (7) specifies those who may apply to the Tribunal.
Clause 19: Interpretation of Part III
This Clause provides for the interpretation of various terms used in Part III.
"GCHQ" is defined in section 3( 3) the Intelligence Services Act 1994 as follows:
"In this Act the expression "GCHQ" refers to the Government Communications Headquarters and to any unit or part of a unit of the armed forces of the Crown which is for the time being required by
the Secretary of State to assist the Government Communications Headquarters in carrying out its functions."
"Her Majesty's Forces" is defined in section 225( 1) of the Army Act 1955 to mean Her Majesty's air forces, military forces and naval forces.
"Wireless Telegraphy" is defined in section 19( 1) of the Wireless Telegraphy Act 1949 as follows:
"In this Act the expression "wireless telegraphy" means the emitting or receiving, over paths which are not provided by any material substance constructed or arranged for that purpose, of
electromagnetic energy of a frequency not exceeding three million megacycles a second, being energy which either± 32
any objects of any class"
"Interference" is defined in section 19( 4) of the Wireless Telegraphy Act 1949 as follows:
"In this Act, the expression 'interference', in relation to wireless telegraphy, means the prejudicing by any emission or reflection of electro-magnetic energy of the fulfilment of the purposes of the
telegraphy (either generally or in part, and, without prejudice to the generality of the preceding words, as respects all, or as respects any, of the recipients or intended recipients of any message, sound
or visual image intended to be conveyed by the telegraphy), and the expression 'interfere' shall be construed accordingly."
Subsection (2) serves two purposes. It allows senior officers to issue notices relating to material possessed by more junior officers. It also ensures that the powers apply, for
example, where the police do not possess material but have the power to search or inspect the material.
Clause 20 & 21: Modification of licences by the Director
The EC Telecommunications Services Licensing Directive (97/ 13/ EC) requires licensing for telecommunications to be non-discriminatory. In practice this means that
modifications usually need to be made to all licences of a particular type at the same time. However, the current licence modification procedure, as detailed under section 12 of the
Telecommunications Act 1984, requires the Director General of Telecommunications (DGT) to obtain the written consent of an individual licence holder if he wishes to
proceed with a modification without reference to the Competition Commission (CC). Thus if the DGT wishes to make a licence modification without reference to the CC, he
must now obtain written consent from all those whose licences are to be modified. Given that there are a large number of individual licensees Ð well over 100 Ð gaining this
consent is an unduly difficult requirement. For example, some licensees may feel they have insufficient interest to bother to answer the DGT's letter. This could lead to licences
becoming silted up with out of date requirements, as well as preventing the DGT from responding appropriately to new developments.
Clause 20 accordingly provides for the procedure for modifying telecommunications licences to allow for simultaneous modification of many licences. It aims to provide more
responsive regulation and easier deregulation, while recognising the need for any new obligations facing substantial opposition to be examined by the CC. In particular, the
Clause would enable the DGT to proceed without reference to the CC in cases where a proposed modification has general, but not unanimous, support or is deregulatory.
The Clause operates by making modifications to the existing section 12 of the Telecommunications Act 1984 (the 1984 Act) (which sets out the procedure for making
modifications) and inserting a new section 12A (setting out the criteria for making modifications).
Subsection (1) provides that notice of modification, in addition to its being published, must be given to every "relevant licensee" (see the new section 12( 6E), inserted by
subsection (3)).
Subsection (2) replaces section 12( 4) of the Telecommunications Act 1984 with two new subsections 4A and 4B. Subsection 4A provides that class licences (i. e. general
authorisations, which are deemed to be granted to all those within a particular "class of persons" Ð e. g. every person in the UK Ð normally with no fee or registration involved)
may be modified despite outstanding representations, provided that no objections come
33
Subsection (6C), enabling the DGT to publish the names of companies objecting to a modification, without their consent, and to publish non-confidential details of
objections and representations received.
Subsections (6D) and (6E), which provide definitions.
Subsection (6F) which makes clear that this procedure does not apply to a licence modification by a partial revocation
Subsection (4) inserts a new section 12A into the 1984 Act, which sets out the criteria for modifications to be made. This is illustrated in the flow-chart below.
Subsection 12A( 5) provides that the modification may be made to licences issued since the making of a proposal for that modification, so long as the prospective
licensee has been given opportunity to object and either has not done so or, if he had done so, would not have caused there to be a blocking minority of objections.
Subsections (5) and (6) make consequential amendments.
Figure 1 below provides a diagrammatic representation of the proposed revised licence modification procedure.
34
Ä
No
Representations considered; Secretary of State doesn't
object; reminders are issued [as detailed in S12A( 6) and (7)].
§ Are any objections made by relevant licensees? [S12A( 2)]
Yes
Ä
Yes
§ Does the DGT consider that the modification is deregulatory? [S12A( 4) and (11)]
[* A*] No
Ä
No § Does DGT consider the objections come from at least a significant minority of the relevant licensees? [S12A( 3), decided in the light of the Secretary of State's order as
detailed in S12A( 8), (9) and (10)]
[* A*] Yes
Ä
Does the DGT wish to proceed with the modification? No
©
Yes
Ä
Ä
Modification abandoned
Referral to the Competition Commission. Does it consider the modification to be
requisite? ©
¶
No
Yes
Ä
Ä © Modification goes ahead
Note: [* A*] denotes a situation in which an appeal can be made. 35
unhappy with the decision of the DGT to make the modification. This provides an appeal against licence modification proposals. Since the provisions of Clause 20 give the DGT
new powers to modify licences even when there are objections raised by relevant licensees, there is now to be a balancing right of appeal on wider grounds than the normal
grounds for judicial review. Clause 21 inserts a new section 12B into the 1984 Act, setting out the mechanism by which such an appeal can be made.
Clause 23: General interpretation
This Clause provides for the interpretation of various terms used throughout the Bill.
Subsection (1) inter alia defines:
electronic communications to include communications by means of a telecommunication system within the meaning of the Telecommunications Act 1984, or by other means but in
electronic form.
Section 4( 1) of the Telecommunications Act 1984 says
* In this Act telecommunications system means a system for the conveyance, through the agency of electric, magnetic, electro-magnetic, electro-chemical or electro-mechanical energy ofÐ
(a) speech, music and other sounds
(b) visual images
(c) signals serving for the impartation (whether as between persons and persons, things and things or persons and things) of any matter otherwise than in the form of sounds or visual
images; or
(d) signals serving for the actuation or control of machinery or apparatus.
subordinate legislation as having the same meaning as in the Interpretation Act 1978, and also including certain statutory rules in Northern Ireland.
* Section 21( 1) of the Interpretation Act 1978 provides that subordinate legislation means Orders in Council, orders, rules, regulations, schemes, warrants, byelaws and other
instruments made or to be made under any Act.
Clause 24: Short title, commencement, extent
Subsection (2) allows the Secretary of State to commence provisions on the Bill on such days as he may appoint. Different days may be appointed for different purposes.
Subsection (3) prevents the Secretary of State from bringing into force anything relating to authorising the Secretary of State to grant permission for the purposes in Schedule 1
until such time as the Tribunal mentioned in Schedule 1 has jurisdiction.
COMMENTARY ON SCHEDULES
Schedule 1: Persons Having the Appropriate Permission
Schedule 1 deals with the duration and types of appropriate permission which may empower a person to serve a notice under Clause 10 of this Bill requiring disclosure of
information.
Paragraph 1: Data obtained under warrant
This paragraph deals with notices requiring disclosure, where the unintelligible information was obtained under a statutory power exercised in accordance with
36
c an authorisation under Part III of the Police Act 1997.
Examples of legislation under which the Secretary of State may issue a warrant include the Interception of Communications Act 1985 and the Intelligence Services Act 1994. Examples of legislation under which a
person holding judicial office may issue a warrant include the Police and Criminal Evidence Act 1984 and the Drug Trafficking Act 1994.
Sub-paragraph (2) states that the warrant or authorisation may empower a person to serve a notice requiring disclosure if
c the warrant or authorisation gave explicit permission for the notice to be
given; or
c written permission has been given by the authority since the warrant or
authorisation was issued.
The authority needed for the issue of a written notice requiring disclosure varies according to the power under which the material in question is obtained (see sub-paragraphs
(3) to (5)).
Sub-paragraphs (6) to (8) describe those persons who may issue a warrant or authorisation under Clause 10.
In sub-paragraph (6)( c), an authorising officer within the meaning of Clause 93 of the Police Act 1997 means the Commissioner, a person appointed under that Act and who holds or has held high judicial office within
the meaning of the Appellate Jurisdiction Act 1876 (for which see the explanatory notes on Clause 17).
Sub-paragraph (9) excludes from this paragraph unintelligible information
c which has been obtained under a statutory power without a warrant; and
c which has been obtained in the course of, or in connection with, an exercise
of another power for which a warrant was required.
This might include, for example, cases where a constable has a right to enter premises under a warrant and while on the premises uncovers matter which he suspects to be
evidence of a crime unrelated to the warrant itself, in accordance with e. g. Police and Criminal Evidence Act 1984 section 19.
Paragraph 2: Data obtained under statute but without a warrant
This paragraph deals with unintelligible information to which Paragraph 1 above does not apply, and which has come into the possession of any person as described under
Clause 10( 1)( a), (b) or (c) of this Bill (i. e., because the case does not involve a warrant issued by the Secretary of State or a person holding judicial office, or an authorisation
under Part III of the Police Act 1997).
Paragraph 3: Data obtained without the exercise of statutory powers
This paragraph deals with unintelligible information that has come into the possession of an intelligence agency, the police or Customs and Excise by any other lawful means not
involving the exercise of statutory powers.
Paragraph 4: General requirements relating to the appropriate permission
This paragraph makes some further stipulations about the categories of person who may be empowered to require disclosure. It also makes some stipulations about the
permissions that may be given by members of the police, Customs and Excise and the armed forces. 37
Section 13A of that Act specifies such ranks as:
c commander of the metropolitan police, as respects the metropolitan police area;
c commander of the City of London police, as respects the City of London; or
c assistant chief constable for any other police area.
Paragraph 5: Duration of permission
This paragraph provides for the duration of the validity of authorisations to serve a notice and prevents the issue of a notice after the authorisation has expired. The Bill does not
require that a limit must be placed on the duration of an authorisation.
Paragraph 6: Formalities for permissions granted by the Secretary of State
Paragraph 6 states that any permissions granted by the Secretary of State in accordance with Schedule 1 may only be granted
c if signed by him personally; or
c if signed by a member of the Senior Civil Service and expressly authorised by
the Secretary of State. The express authorisation must be in relation to that particular warrant (i. e. there can be no standing authorisation).
Schedule 2: The Tribunal
Schedule 2 provides for the constitution and functions of the Tribunal established under Clause 18.
Paragraph 1: Constitution of Tribunal
This paragraph determines the constitution of the Tribunal.
Sub-paragraph (1) ensures that members of the Tribunal may be drawn from the legal profession in all parts of the United Kingdom. The requirement of ten years' standing
means that only those eligible for appointment to the judiciary can serve. These criteria and the subsequent provisions are essentially those for the IOCA Tribunal (Schedule 1 of
the Interception of Communications Act 1985).
The Courts and Legal Services Act 1990 states that a person has a "general qualification" if he has a right of audience in relation to any class of proceedings in any part of the Supreme Court, or all proceedings in county
courts or magistrates' courts.
Sub-paragraph (3) limits the term of office to 5 years. A member whose term of office expires is eligible for reappointment. Were he to serve a second time he would have to be
re-appointed by further Letters Patent. There is no retirement age.
Sub-paragraph (4) provides the means whereby a member may resign.
Paragraph 2: President and Vice-President
Sub-paragraphs (1), (2) and (3) establish the positions of President and Vice-President who will be members of the Tribunal.
38
to ensure that complaints are properly considered while ensuring that information is not disclosed that would, for example, be prejudicial to national security.
Paragraph 4 states that the Tribunal's rules will be established by statutory instrument, a draft of which will first be laid before Parliament.
Paragraph 6 imposes a duty on persons to provide to the Tribunal any documents or information it may require in order that it may carry out its functions under Clause 18 of
the Bill.
Paragraph 6: Appointment of special representatives
This provides for the appointment of persons (special representatives) whose function will be to represent the interests of an appellant in proceedings before the Tribunal from
which he and any legal representative are excluded by virtue of the procedural rules set out in paragraph 3 above.
Sub-paragraph (2) defines who may be appointed to carry out the role of special representative.
Paragraph 7: Co-operation with Tribunal
This paragraph imposes a duty on persons to provide to the Tribunal any documents or information it may require in order that it may carry out its functions under Clause 18 of
the Bill.
Paragraph 8: Appeals on points of law
This paragraph provides for an appeal to an appropriate appeal court (defined in sub-paragraph 3) on any question of law material to a final determination from the
Tribunal.
Paragraph 9: Salaries and expenses
This paragraph deals with the payments of the members of the Tribunal and of its expenses.
Paragraph 10: Officers
Sub-paragraph (1) provides for the appointment of officers of the Tribunal by the Secretary of State, after consultation with the Tribunal. The Secretary of State may not
therefore proceed unilaterally to make appointments. The provision itself places no limitation on the number of officers and (subject to the usual Treasury approval as to
numbers) allows flexibility over the numbers, grades and individuals.
Sub-paragraph (2) enables an officer who is authorised by the Tribunal to obtain documents on the Tribunal's behalf.
Paragraph 11: Parliamentary Disqualification
The parts of the Schedules referred to in this paragraph list the bodies whose members are disqualified from membership of the House of Commons and the Northern Ireland
Assembly respectively. They include Tribunals and public Boards, Commissions and Councils. Members of this Tribunal (as people paid for adjudicating in a quasi-judicial
capacity on the decisions of Ministers, and able to overturn those decisions) clearly fall within the category of those who are normally disqualified.
39
EFFECTS OF THE BILL ON PUBLIC SERVICE MANPOWER
The approvals scheme (Part I) is likely to result in a small increase in manpower. It is not envisaged that the law enforcement agencies will need an increase in manpower as a
result of the powers provided for them in Part III.
REGULATORY IMPACT ASSESSMENT
Electronic Commerce
The provisions in Part II of the Bill are expected to lead to substantial savings for business in transacting with Government.
Cryptography Services Providers
The proposed approvals scheme for cryptography service providers is voluntary in nature and therefore whether or not a company seeks approval will be a business decision for it.
Only those companies in the specialised sector of providing cryptography services will be directly affected and the total cost will be modest. The precise cost of approval will
depend on the nature of the services a company may wish to be approved for and the scale of their business. There could also be marginal costs of meeting the standards required to
gain approved status if these were set higher than the market required.
In deciding whether to seek approval a company will need to take account of the additional revenues which being approved might bring. Approved suppliers of some
public-key certificates are likely to have a significant marketing advantage due to their certificates having legal recognition throughout the EU.
Law Enforcement
The objective of the new powers contained in Part III of the Bill is to ensure, as far as possible, that there is no overall reduction in the ability of the law enforcement, security
and intelligence agencies to fight crime and threats to national security. Without these powers, there is a risk that criminal use of encryption will undermine the effectiveness of
vital powers of interception and search and seizure.
The proposed new lawful access powers will apply to individuals and businesses alike. Costs will occur where persons are served with authorised written notices requiring the
production of decryption keys or plaintext. Where the production of plaintext is deemed acceptable, compliance costs may be limited to the administrative costs of processing the
notice and delivering up the required data. But where a notice specifies that a key be handed over, the individual/ business served with a written notice may decide that their
security has been compromised and may incur considerable costs in implementing new security systems or changing the keys of other trading partners, customers or associates.
40
modifications which command general, though not unanimous, support in the industry, or those which are deregulatory, to be implemented without the need for a complex and
expensive Competition Commission enquiry. The precise impact of these proposals will depend upon the nature of the modifications which may from time to time be proposed by
Oftel, but the overall impact is likely to be deregulatory and to the extent that expensive competition commission references can be avoided, substantial savings could be made.
A full draft Regulatory Impact Assessment of the costs and benefits of the proposed Bill is available on the DTI Website www. dti. gov. uk/ cii or from David Lee on 0207 215 1435.
EUROPEAN CONVENTION ON HUMAN RIGHTS
Section 19 of the Human Rights Act 1998 requires the Minister in charge of a Bill in either House of Parliament to make a statement, before second reading, about the compatibility
of the provisions of the Bill with the Conventions rights (as defined by section 1 of that Act). The Secretary of State for Trade and Industry made the following statement when
publishing the draft Bill:
"In my view the provisions of the Electronic Communications Bill are compatible with the Convention rights".
Extract from the Telecommunications Act 1984 showing words inserted at Section 12 by the Bill; it also shows other amendments made by the Bill (not highlighted)
Modification of licence conditions by agreement.
12 (1) Subject to the following provisions of this section, the Director may modify the conditions of a licence granted under section 7 above.
(2) Before making modifications under this section, the Director shall give noticeÐ
(a) stating that he proposes to make the modifications and setting out their effect;
(b) stating the reasons why he proposes to make the modifications; and
(c) specifying the time (not being less than 28 days from the date of publication of the notice) within which representations or objections with respect to the
proposed modifications may be made.
(3) A notice under subsection (2) above shall be given by publication in such manner as the Director considers appropriate for the purpose of bringing the matters to which the
notice relates to the attention of persons likely to be affected by them and, in the case of a licence granted to a particular person, by sending a copy of the notice to every relevant
licensee.
(4) Delete existing subsection and replace with:
(4A) In the case of a licence granted to all persons, or to all persons of a particular class, the Director shall not make any modification unlessÐ
(a) he has considered every representation made to him about the modification; and
(b) there has not been any objection by a person running a telecommunication system under the authority of the licence to the making of the modification.
(4B) In the case of a licence granted to a particular person, the Director shall not make any modification unlessÐ 41
similar terms.
(5) The Director shall also send a copy of a notice under subsection (2) above to the Secretary of State; and if, within the time specified in the notice, the Secretary of State
directs the Director not to make any modification, the Director shall comply with the direction.
(6) The Secretary of State shall not give a direction under subsection (5) above unlessÐ
(a) it appears to him that the modification should be made. if at all, under section 15 below; or
(b) it appears to him to be requisite or expedient to do so in the interests of national security or relations with the government of a country or territory
outside the United Kingdom.
42
(6C) Where the Director has given notice under subsection (2) above of a proposal to modify the conditions of a licence, he may in such manner and at such time as he
considers appropriate publishÐ
(a) the identities of any or all of the persons who objected to the making of the modification; and
(b) to the extent that confidentiality for representations or objections in relation to the proposal for the modification has not been claimed by the
persons making them, such other particulars of the representations or objections as he thinks fit.
(6D) In this section and section 12A below (except in subsection (6C) above), a reference to a representation or objection, in relation to a modification, is a reference
only to a representation or objection whichÐ
(a) was duly made to the Director within a time limit specified in the case of that modification under subsection (2)( c) above or section 12A( 6)( e)
below; and
(b) has not subsequently been withdrawn;
and for the purposes of this section and section 12A below representations against a modification shall be taken to constitute an objection only if they are accompanied by a
written statement that they are to be so taken.
(6E) In this section and section 12A below 'relevant licensee', in relation to a modification, meansÐ
(a) in a case where the same or a similar modification is being proposed at the same time in relation to different licences granted to different persons,
each of the persons who, at the time when notice of the proposals is given, is authorised by one or more of those licences to run a telecommunication
system; and
(b) in any other case, the person authorised by the licence in question to run such a system.
(6F) In this section references to making a modification of the conditions of a licence do not include references to the exercise of any power conferred by a term of
the licence to revoke the licence in part or for particular purposes.
(7) References in this section and in sections to 15 below to modifications of the conditions of a licence do not include references to modifications of conditions
relating to the application of the telecommunications code.
12A
43
3. Delegation of approval functions. [j106] 4. Restrictions on disclosure of information. [j112]
5. Regulations under Part I. [j109] 6. Provision of cryptography support services. [j110]
PART II
FACILITATION OF ELECTRONIC COMMERCE, DATA STORAGE, ETC.
7. Electronic signatures and related certificates. [j412] 8. Power to modify legislation. [j410]
9. Section 8 orders. [j411]
PART III
INVESTIGATION OF PROTECTED ELECTRONIC DATA
Power to require disclosure of key
10. Notices requiring disclosure. [j201] 11. Disclosure of information in place of key. [j201A]
Offences
12. Failure to comply with a notice. [j202] 13. Tipping-off. [j203]
14. Provisions supplemental to ss. 12 and 13. [j203A]
Safeguards
15. General duties of specified authorities. [j204] 16. Code of practice. [j205]
17. The Commissioner. [j206] 18. The Tribunal. [j207] 45
PART IV
MISCELLANEOUS AND SUPPLEMENTAL
Telecommunications licences
20. Modification of licences by the Director. [j301A] 21. Appeals against modifications without the licensee's consent. [J301B]
Supplemental
22. Ministerial expenditure etc. [j503] 23. General interpretation. [j505]
24. Short title, commencement, extent. [j510]
SCHEDULES:
Schedule 1 ÑPersons having the appropriate permission [j201S].
Schedule 2 ÑThe Tribunal [j207s].
46
Make provision to facilitate the use of electronic communications A. D. 1999. and electronic data storage; to confer powers to require the
disclosure of data needed to obtain access to electronic information or to make it intelligible; to make provision about the
modification of licences granted under section 7 of the Telecommunications Act 1984; and for connected purposes.
BB E IT ENACTED by the Queen's most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:Ñ 5 P