Table of Contents
- Privacy
- Global Competition
- Greater use of packaging
- Increased consumption of computers
- Disability
- Access to the technology
- Telework
- Telecentres
- Is it Appropriate to Build Confidence?: Conclusion
- Responses to Particular Points in the Consultation Document
- Licensing Regime for Trust Service Providers (i.e. Providers of Cryptography Services)
- Law Enforcement Interests in Cryptography
- The Needs of Law Enforcement Agencies
Is it Appropriate to Build Confidence?
The title of the green paper begs the question of whether electronic commerce is a good thing, either in global terms, or for the United Kingdom.
Much conventional shopping can take place without consumer identity being divulged: even if many consumers do divulge their identity, the cash transaction without use of a loyalty card is normally available to consumers who do wish to maintain their privacy. With electronic commerce, increasingly detailed information is required by those conducting business, and much further information is automatically collected, including choice of product, delivery address, number and times of electronic shopping visits and payments details. For business-to-individual and individual-to-individual electronic commerce, such tendencies to work against privacy make electronic commerce less attractive than it might seem at first, and less attractive than it is for business-to-business transactions. For this, and other reasons, it cannot be assumed that policies and legislation suitable for business-to-business electronic commerce will be suitable for business-to-individual and individual-to-individual electronic commerce.
The rhetoric of free trade suggests that unrestrained competition is a good thing, resulting in efficient production and distribution, meaning that more goods can be produced with the same inputs. However, this downplays the importance of avoiding monopolies. Monopolies and oligopolies can, and often do, preclude the gains that can be obtained from competition, yet avoiding them needs restraint on competition. The nature of electronic commerce is such that small, temporary, competitive advantages can be used to build oligopolistic power that sustains market position even after the appropriate competitive advantage has gone, especially given the "challenge of generating trust on-line" (paragraph 32): once the short term competitive advantage has been used to establish a position in the market, trust can be built up in ways that may preclude consumers establishing a relationship with an equally good (or, even, slightly better) competitor. To allow trust to be built on a fairer basis, we would like to see the Government working within the EU and with trading partners to support the establishment of a small number of global schemes whereby reputable traders could be acknowledged, and guarantees made about financial security of consumers, redress in case of complaints, etc. Such schemes could be voluntary, but to ensure fairness, would need to levy fees so that small firms pay small fees. Environment Increased transport of goods A global market with good telecommunications tends to promote a tendency to obtain goods from remote suppliers, and to use suppliers that are more remote. This leads to an increase in the distance goods are transported from the supplier to the consumer (whether business or individual). This in turn can lead to environmental damage from the additional transport. Reduced transport of goods Against this, where the essential content of the goods is data or information, electronic delivery is possible, giving the chance that music, videos, newspapers, magazines, and books will all be delivered electronically, and perhaps never take a physical form. In these cases, the harm to the environment of the production and disposal of the goods can be averted by electronic commerce, in addition to the harm to the environment of transporting them. More efficient transport Where business-to-individual electronic commerce replaces conventional shopping, it can be expected to replace individuals driving to the shops with delivery services that carry the goods for a variety of people in the locality at once. This may prove to be a more efficient way of transporting the goods, and puts those who, whether through financial reasons or disability, are without access to a car, at less of a disadvantage than conventional out-of-town shopping developments.
Consignments of goods purchased from remote suppliers (for both business-to-business and business-to-individual electronic commerce) tend to be smaller than consignments in the traditional manufacturer-regional wholesaler-local retailer/supplier supply chain, and thus proportionately more packaging is used, with environmental disbenefits.
Implicit in the use of business-to-individual and individual-to-individual electronic commerce is the increasing availability of web-capable computers (including those based on digital TV and set-top boxes). Increasing consumption of computers may have a detrimental effect on the UK economy so long as a large part of their cost is payment for imported components and intellectual property. It may also have a detrimental effect on the environment.
Equal access to electronic commerce for mobility impaired people
Business-to-individual, individual-to-individual, and individual-to-business electronic commerce give a real possibilities of access to some forms of shopping and trading on equal terms for people with impaired mobility. However, conventional shopping is a social activity. As well as its functional role, it includes opportunities for casual conversation and planned and unplanned meetings with others. Electronic shopping cannot, or does not, support the social side of shopping. Similarly, conventional trading has a social element not supported by electronic trading. One concern if electronic commerce is seen as a way of providing access to shopping and trading for disabled people is that efforts to improve access to conventional shopping and trading may be down-graded, when both are needed to enable real participation by disabled people in society.
Lack of tactile information for visually impaired people
One particular problem for retail electronic commerce is that the purchaser is unable to physically handle the goods prior to purchase in the same way as they can in traditional shops. This can be difficult for all customers, but is of particular concern for visually impaired people, who may also be unable to see an image of the product either. It is important that retail electronic commerce is conducted in such a way that visually impaired people can return normal goods that turn out to be unsuitable without having to pay either for the goods or for the transport of the goods.
One of the major issues regarding the desirability of electronic commerce is the issue of equity, as it manifests itself in the uneven distribution of access to technology. These are largely issues of cost.
Cost
Practical access to information and communications technologies (ICTs) may be reducing in cost, but still can be prohibitivly expensive for many on low incomes. Until and unless either inequalities are dramatically reduced, or the costs of ICTs fall even more dramatically, it is important to ensure that those on low incomes are protected from being left behind. This is particularly relevant given that goods purchased on the internet are significantly cheaper than equivalent than identical goods purchased conventionally. It will be particularly unfortunate if the poorest in society are denied practical access to the cheapest way to purchase goods and services, when lack of access to suitable forms of transport already denies many of the same people practical access to out of town retail centres (which tend to be cheaper than town and city-centre outlets).
Access to telecommunications in less industrialised countries
Latest statistics suggest that even in 2003 over 90% of the world's population will not be linked to the internet. In less industrialised countries, the physical telecommunications networks may not be present, and with mobile telephony there may never be a sufficient critical mass of potential users to establish fixed networks. This may lead to higher telecommunications costs in less industrialised countries, against a background of lower average incomes, meaning that electronic commerce is even more the sole preserve of the affluent in these countries. The deficiencies of fixed telecommunications networks and higher costs of mobile communications together may hinder the involvement of businesses in less industrialised countries in electronic commerce, whether as suppliers or purchasers. Such a situation may enable the United Kingdom to gain a competitive advantage in electronic commerce, but only at the expense of further exacerbating global inequalities of income and wealth.
Electronic commerce opens up some possibilities for telework. While these possibilities can have many beneficial effects, re-locating work to people, rather than requiring people to re-locate or commute to the work, there are also possible disadvantages. Telework requires the same access to the technology as other forms of electronic commerce, but may be more vital, in being the potential sorce of the whole family income, rather than merely one way to spend some of it. The barriers to practical access to the technology may be higher, indeed, for telework given that effective work from home really needs dedicated space (and perhaps a dedicated room). Such space, where not already available, is very expensive compared to the technology. Moreover, for people living in social housing, it is highly unlikely that extra space will be made available in the home for those wishing to telework.
Telecentres may partially alleviate the problems of access to the technology and of finding space to telework. However, experience suggests that it is impractical to expect telecentres to be profit-making or even self-supporting, and the inconvenience involved in using them suggests that they will not be very significant in business-to-individual electronic commerce.
There are substantial drawbacks with electronic commerce that make it unclear that it is appropriate to build confidence. Unless these drawbacks are addressed, the building of confidence in this new form of trading will mislead the public.
Paragraph 2:
We do not see "publicly available kiosk[s] in a public library or the local supermarket etc." being a significant factor in electronic commerce. People who do not have access to the internet through easier means are most unlikely to have the skills or inclination to make use of such kiosks on any significant scale.
Paragraph 3:
We accept that criminality and terrorism are serious problems. However, we are not convinced that there is such a substantial "need for new powers for law enforcement agencies to gain legal access, under proper authority and on a case by case basis, to encryption keys", that it should be one of the founding principles of new legislation. Current intelligence efforts against criminality and terrorism suggest that suspects will leave many clues available to law enforcement agencies, even with current legislation. Further, access to plaintext is the ultimate aim, and encryption keys are merely one means to that end: if access to the content of messages is truly needed, a more appropriate and "technology neutral" means of expressing this in the principles for the new legislation should have been used.
Paragraphs 7-10:
One of the major constraints on electronic commerce has been a lack of clarity about legal regimes for transnational transactions. We believe European Union proposals go a long way to enabling the clarification of the law regarding transnational electronic commerce within the EU. We consider that it is of great importance that the Government (ideally working through the EU, and possibly The United Nations Commission on International Trade Law - UNCITRAL) establishes measures to enable such clarification for other trading partners, and especially the United States and Pacific rim, which already have substantial presences online.
Paragraph 18:
Given the importance in law of the definition of writing, and the importance that 'written' materials can be freely available to the vast majority of the population, wholesale change to the law must be avoided. We are particularly concerned that communication to members of the public and small businesses that currently must be in writing will continue to be as easily available to them as visible writing. Communication in electronic form to any of government, larger businesses or other larger organisations, by contrast, could be handled by them without excessive overheads (and indeed with possible savings), provided it is in standard form. Moreover, willingness to accept electronic communication as equivalent to writing is important in allowing equal autonomy to blind people in access to goods and services. Thus we would recommend that if enabling legislation is used to allow legal recognition of electronic writing and signatures, that a distinction be made in the enabling legislation between members of the public and small businesses, on the one hand and government, larger businesses or other larger organisations on the other. This distinction should be used in such a way that materials received by the former group are always available in writing in the sense of the current law, while as a general principle materials received by the latter group must treat electronic forms as equivalent to non-electronic forms of writing.
Paragraph 24:
Subliminal Advertising
We are particularly concerned that subliminal advertising is banned from the internet. While legal restraints in the UK alone cannot eliminate the potential for UK citizens being subject to such subliminal advertising, it would be a useful start. It is to be hoped that the Government can negotiate with other Governments to eliminate this threat. To effectively control subliminal advertising in the online world, where national boundaries are invisible, until and unless all states act against subliminal advertising, we would recommend an offence of presenting, or allowing others to present subliminal advertising on a website or other internet facility under the person's control, or knowingly directing users to an internet location where subliminal advertising is presented.
Privacy
Given that speed is not particularly important with decryption of stored data, and the lack of impact of encryption on the fight against crime, it appears to us to be inappropriate that key recovery is enforceable for such purposes. Given that privacy is at stake, it is appropriatee for the decryption methods available without cooperation to be restricted to 'cracking' when stored data is the target. Given that privacy concerns may undermine confidence in electronic commerce, we recommend legal measures to restrain the passing on of information gathered through electronic commerce transactions (of all types) to third parties. This is especially (but not uniquely) important with business-to-individual electronic commerce. This could also help combat spam (paragraphs 28-31). Such measures will not be sufficient to maintain privacy in electronic commerce. We would also recommend legal measures to restrict the cross-referencing of data about transactions even within a single organisation (with exceptions for the detection and prevention of fraud). Again, this is especially (but not uniquely) important with business-to-individual electronic commerce. Another privacy issue is the collection and storage of client persistent information (including cookies and information stored on the server). The EU Data Protection Working Party (see http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp17en.htm, accessed 31.03.1999) argue that "Internet hard- and software products should allow the data subject to freely decide about the processing of his/her personal data by offering user-friendly tools to filter (i.e. to reject or to modify) the reception, storage or sending of client persistent information". Given that current practice is contrary to this, we urge the Government to work towards European legislation to bring about a situation where individuals can participate in electronic commerce while retaining rights to decide about such issues.
Paragraph 31:
We do not believe the industry solutions being developed to combat spam are likely to be effective. Current behaviour of the senders of such emails is such that it appears likely that an opt-out e-mail preference scheme will be abused as a source of active e-mail addresses by the senders of spam. Further, it is so easy for an individual to send out spam, that the DMA is unlikely to have any influence. Futher, commercial advantage of ISPs is of little benefit to those who have email access through their employer or place of education. The tools to combat spam that we would recommend include "Further legislation to enforce service provider contracts to prevent the sending of unsolicited bulk e-mail". However, we are aware that some service providers appear to be happy to take no effective action to prevent spam, and believe it is important for such legislation to work against such providers. We would also recommend a specific prohibition on the sale or purchase of lists of email addresses. We would oppose the simple prohibition of "spoofing". There are circumstances where mis-representation of the origin of e-mails can provide a valuable safeguard to privacy. By providing anonymity, such mis-representation can enable the internet to be a conduit of anonymous tip-offs for law-enforcement agencies. There may, however, be good reason to prohibit mis-representing the origin of electronic communication in such a way that it appears to come from a live human being other than the real sender. We would support the principle of mandatory establishment of labelling, however, we are aware that the line between unsolicited commercial email and legitimate use of email lists to inform people about something within the purposes of that list can be very fine. Further, given that most spam originates outside the UK, it is hard to see how labelling would act against the bulk of the problem, unless international agreement could be reached.
Paragraph 32:
In order to promote high quality service and competition on bases other than price, intermediaries should be placed under some obligation to provide information for comparison beyond price and contact details for the vendor. Particular possibilities include a requirement to present some information about slightly more expensive suppliers who may be adding value to the product (perhaps by offering longer guarantee periods). Another possibility is to require that warnings are available about purchasing from suppliers in countries with weak consumer protection, or to require that where suppliers that have met certain genuine quality assurance standards, this information is passed on to potential consumers along with the price and contact information.
Paragraph 34 / Annex A.
We are particularly pleased to see, under Annex A, (ii) Licensing Criteria for Certification Authorities, that pseudonyms are explicitly allowed, because there may well be circumstances where the proof of identity needed does not need to be mapped precisely against a 'real live human' individual, but rather that the individual associated with two pieces of information is one person. Allowing pseudonymity can significantly help maintaining privacy in the online world.
Paragraph 45:
Limited Liability
We are not convinced that limiting liability is necessary or desirable. Given that cryptography services require trust to operate effectively, we would anticipate the benefits of demonstrating trustworthiness to be sufficient to induce most cryptography service providers to seek a license. Limiting liability is generally undesirable unless there are advantages to outweigh that undesirability. The undesirability arises because it redistributes risk from those who are otherwise legally liable to those who happen to be innocently doing business with them. In this case, the advantages appear to be available through other means, and so fail to provide a reason for accepting the undesirability of limiting liability.
Duty of Care
We believe that a duty of care should be placed upon providers of cryptography services. In contrast we can see no point in introducing such a duty of care placed upon individual users of cryptography services: the inconveniences accompanying becoming aware of the disclosure of their private key would be sufficient to ensure care was taken.
A requirement to reveal keys is different in principle from a requirement to decrypt specific files. The revelation of keys enables any future information encrypted using the same keys to be decrypted. As, by definition, such files cannot have been considered when disclosure of the keys was sought, whether their decryption is appropriate or not is a separate issue that ought to be considered separately. This may be of particular concern where encryption is used by a professional to protect files that are legitimate, as well as files subject to the investigation by the law enforcement authorities. We would have less concerns with a proposal that required the contents of files to be revealed, rather than the current proposal to require that keys are revealed. Given that "The Government does not intend to use the new measures to extend, either directly or indirectly, its intrusive surveillance powers", the examples given (paragraphs 50) are not relevant to the discussion at hand. The use of information an communications technology meant that there was evidence - albeit in encrypted form - that would not have been available at all with other technologies. Further, "the impact of encryption ... is not having a major operational impact on the fight against crime" (paragraph 83). If it is effective, decryption using recovered keys would make more evidence available to the law enforcement authorities than ever before and thus inevitably extend intrusive surveillance powers. Until and unless encryption does have a major operational impact on the fight against serious crime, no measure to enable the enforced recovery of the content of encrypted messages can be justified, given the legitimate interest in privacy that all citizens share. The knowledge that revelation of encryption keys may be required is likely to deter the most serious criminals and terrorists from using public networks. In doing so, materials that currently are available to law enforcement authorities, at the overhead of 'cracking' the cypher, may cease to be available at all. Given that the Interception of Communications Act 1985 allows for interception "for the purpose of safeguarding the economic well-being of the United Kingdom", there may be particular concerns that commercial information will be the target of decryption. We do not see such information as being an appropriate target for decryption. Whether or not the fears are justified, a specific safeguard should be built into any legislation to ensure that they are not allowed to hinder electronic commerce.
Paragraph 70:
It might be that Parliament wishes to legislate for self-incrimination to be required in further cases where it believes the gains outweigh the risks. However, if it does, it should do so consciously, rather than in the mistaken impression that a requirement to reveal encryption keys will not amount to a requirement to self-incrimination. It is our belief that a requirement to reveal encryption keys can amount to a requirement to self-incrimination: it is requiring individuals to reveal information that facilitates enquiries that can be used against them, and these enquiries are ceteris paribus far more likely to reveal evidence against the suspect revealing their encryption key than any other person. We are particularly concerned that Parliament will not be able to properly debate the issues surrounding self-incrimination if the proposals are mis-represented.
Safeguards.
We welcome the safeguards proposed in paragraphs 72 to 74, although we would seek further safeguards. We welcome the fact that neither key escrow nor third party key recovery will be a requirement for licensing (paragraphs 80-82).
Paragraph 84:
"The Government would welcome ideas on how its law enforcement and electronic commerce objectives might be promoted". Existing broader Government measures to be 'tough on the causes of crime' should be sufficient to reduce the worries about crime. Given that "the impact of encryption ... is not having a major operational impact on the fight against crime" (paragraph 83), our main concerns about the relationship of crime to electronic commerce are that it will directly open up new opportunities for fraudulent and otherwise illegal transactions. We consider it to be vitally important for the future of electronic commerce that policing effort is exercised to ensure that criminality is less able to flourish in the electronic sphere than in conventional spheres, but do not believe that this requires any powers to enforce access to encryption keys at this time.
Paragraph 86:
Where law enforcement agencies have a legitimate need to access the plaintext of intercepted communications, it is hard to see how access to the encryption key will help legitimate law enforcement in a way that access to decrypted plaintext of individual messages will not.
Paragraph 89:
Given that speed is not particularly important with decryption of stored data, and the lack of impact of encryption on the fight against crime, it appears to us to be inappropriate that key recovery is enforceable for such purposes. Given that privacy is at stake, it is appropriatee for the decryption methods available without cooperation to be restricted to 'cracking' when stored data is the target.