The Electronic Commerce Inquiry Memorandum by the Internet Service Providers Association 26th January 1999 INTRODUCTION The Internet Service Providers Association (ISPA) is an industry trade body set up to represent the interests of the industry in the UK. We have deliberately kept our comments short as requested, and therefore we have not provided a summary. a.. Encryption and law enforcement access 1.. Legal Status of Electronically Signed Documents ISPA supports the adoption of legal recognition of digital signatures. We believe this is something generally useful and supportive of a modern competitive society. We are slightly concerned that in such a fast moving industry there is a risk that technological changes may result in a requirement for rapid and frequent review of any legislation put in place. 2.. Certification Authorities We believe that there is an argument for the government to licence Certification Authorities for electronic signatures. We believe that such licensing and use of such bodies should be voluntary i.e. those who wish to use licenced authorities may do so at their discretion. Furthermore we do not believe use of a Certification Authority is a necessary pre-requisite to legal recognition. 3.. Key Escrow We are not persuaded that a Key Escrow regime is currently sensible. We think that licencing of Certification Authorities for digital signatures and the archiving of encryption keys used for simple confidentiality are wholly separate issues and should not be confused. We think that there are many pitfalls with Key Escrow and it should be avoided. It will impose a large cost on industry, that seems undisputed, and we believe the claimed advantages it brings to national security are illusory. As the committee will probably receive information from many others we will not cover the lengthy arguments in this brief document, but are happy to cover them in verbal evidence if required.=20 We understand that current proposals intend to accord a presumption of legal validity only to signatures certified by licensed bodies, and that escrow of decryption keys (or the functional equivalent) will be a condition of licensing for those offering "encryption services". We believe that this linkage could significantly hinder development of electronic commerce, if business and consumers perceive that forfeiture of exclusive access to sensitive data is the price for legal certainty of signature recognition. 4.. Current Law Enforcement capabilities The issue of Key Escrow seems strange when compared to the resources that UK law enforcement seems willing to devote to building expertise on the current, mostly un-encrypted, Internet activity. Currently most police forces do not have sufficient resources to have a specialist unit which understands the Internet. As of today there also seems to be no central resource which police forces can draw on. Again this seems to be primarily an issue of funding.=20 ISPs have experienced very variable levels of knowledge when discussing crime, such as hacking, with local police forces and would prefer that a central specialist and knowledgeable team be set up. If as a nation we can=92t afford the several millions of pounds per year to properly fund such a unit, why burden UK plc with many tens or hundreds of millions of pounds to maintain a Key Escrow system? a.. E-Mail and the current legal system 1.. Interception of Communications Act 1985 The current legal status of e-mail needs to be given some consideration. Currently e-mail is protected by the Interception of Communication Act 1985 when traversing the public telephone network, but emails will normally also traverse the networks of Internet Service Providers where they will be protected by the Data Protection Act, but possibly not the Interception of Communication Act.=20 ISPA and other trade bodies such as LINX have had some detailed discussions with ACPO (Association of Chief Police Officers) about such matters, and there seems general agreement that ISPs will not release email contents without a warrant (despite countless, poorly researched, press articles to the contrary). But this is a position made in the absence of clear legislation. ISPA suggests that consideration be given to more formal and explicit protection of e-mail. 2.. Junk Mail (spam) There is a persistent and worldwide problem with the sending of junk e-mail. This activity is typically conducted by people unwilling to put accurate return addresses on the unsolicited communication. Although much of this comes from overseas and will not be easily dealt with, there have been some worthwhile attempts to limit the activity, such as legislation in Washington State in the USA. For details see http://www.wa.gov/wwweb/AGO/junkemail/ ISPA suggest such legislation may be worth consideration. =20 b.. Copyright Protection and ISP Liability ISPs are worried by the European Directive on Copyright in the Information Society and the European Commission Draft Electronic Commerce Directive.=20 The parliamentary amendment to Article 5.1 makes this already potentially restrictive article even more unworkable. In short, ISPs often arrange their systems such that they hold temporary duplicate copies of Internet information within their network (known as operating a =91cache=92).=20 There are a variety of reasons for doing this, but keeping access speeds high and costs low are two obvious ones (another less obvious example is where ISPs serving schools use this technology to programmatically check contents of Internet information for indications that it contains pornography prior to passing the data on to a school). Article 5.1 as currently amended seems to be unnecessarily restrictive to ISPs with regard to caching technology and will impair European ISPs from offering the same services as their counterparts in other parts of the world. On a similar note, we believe the electronic commerce directive use of the term =91actual knowledge=92 when referring to ISP awareness of =91illegal content=92 is far too open to interpretation and will potentially make ISPs block access to sites wherever there is a doubt regarding copyright, trade marks etc. =20 c.. Bandwidth Costs Of all the things facing both Internet Service Providers and the Internet user community, the issue of the cost of leased telecommunications circuits in the UK and in Europe seems to stand out as the most important for the issue of allowing electronic commerce to thrive European costs for leased circuits (if you like - the raw material of the Internet) are significantly higher than in the USA. It is an area where the regulatory environment for telecommunications seems to have failed us. These costs are a significant direct or indirect burden for all UK industry wishing to use the Internet for commerce. The UK telecommunications regulation regime seems unable or unwilling to address this issue instead apparently being happy with our position against (generally expensive) European pricing. d.. General Policy Comments We believe that there are some important underlying principles which should be applied in any new legislation.=20 Be Technology Neutral. =96 We should avoid any legislation which is prescriptive about a particular type of technology. The market should be left to decide what technology is the right one to use. Do not underestimate the power and economic importance of the Internet. The Internet continues to grow and pervade every aspect of life at a startling rate. It seems certain to be play a massive part in the future world economy. Countries that do not have a very open, highly competitive, Internet and telecommunications infrastructure will potentially suffer in every other aspect of economic activity. The government=92s own activity can lead the way by it=92s own activity separate from legislation.=20 Examples include =96 Fostering the UK publishing industry by allowing commercial republishing of government produced data as in the US.=20 Making all forms of public-government interaction available over the internet. Ensuring that government departments do not build unnecessary private networks to attempt to duplicate or mirror the Internet (as was recently proposed for public libraries).