[ISN] UK Government's Policy on Secure E-Commerce

From: mea culpa (jerichoat_private)
Date: Mon Aug 03 1998 - 14:08:08 PDT

  • Next message: mea culpa: "[ISN] China to prosecute computer engineer..."

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    
                    'UK GOVERNMENT'S POLICY ON SECURE E-COMMERCE ...
    
    OTC  29-07-1998 04:20 
    
      Jul 28, 1998 (ELECTRONIC COMMERCE REVIEW, Vol. 1, No. 7) -- To achieve
    our goals, electronic commerce and the electronic networks on which it
    relies, have to be secure and trusted. Whether it be the entrepreneur
    e-mailing his sales information to a potential supplier or the citizen
    receiving private electronic advice from their doctor, the communications
    need to be secure. In a recent DTI survey 69 per cent of UK companies
    cited security as a major inhibitor to purchasing across the Internet. 
    Good information security, therefore, is a vital ingredient which all IT
    producers and users should pay heed to. The DTI, which has a dedicated
    unit involved in giving advice to business on this important business
    issue, is thus introducing an Accreditation Scheme to assess businesses'
    compliance to BS 7799, the national standard on information security. The
    Scheme, launched in April at Infosec 98, will allow businesses the
    opportunity to have their implementation of information security
    professionally certified; giving their trading partners and customers
    greater confidence and trust. The Department is also chairing an industry
    working party to review and update the Standard with the aim of making it
    a global benchmark for all those organisations which take information
    security seriously.
    
       In addition to best practice, however, our businesses also need access
    to appropriate technical solutions to protect the information they send
    across public networks. And perhaps the most important tool is
    Cryptography; the use of digital signatures and encryption. Whether we are
    concerned with the integrity of information (ensuring its content has not
    been altered) or its confidentiality (keep it secret), the appropriate use
    of cryptography can be of major benefit to all IT users. 
    
       There are, however, a number of different characteristics of
    cryptography, which make it a complex issue. These range from its benefit
    to electronic commerce and privacy, as noted above, to the concerns strong
    encryption raises for law enforcement. Thus cryptography policy must take
    account of the needs of the user (whether an individual or a business),
    the government and the international community). For the former, issues of
    trust and confidence are paramount. Whether the requirement is for the
    integrity of data (vital in many forms of electronic commerce) or its
    confidentiality important for business and the citizen) the cryptography
    mechanism needs to be robust and reliable. Encryption keys protecting the
    information must be strong enough to deter industrial espionage and
    hacking. For the Government there are also good reasons why cryptography
    services should be robust; they help to protect economic and intellectual
    assets and enable new services to be delivered to the public (such as
    electronic tax returns); as well as reducing IT fraud and hacking. 
    
       The measures the Government plan to introduce take account of these
    differing aspects of cryptography and also the responses to the
    consultation process on the licensing of Trusted Third Parties initiated
    by the previous Administration. In respect of the latter, the Government
    has responded to business concerns and criticisms of the previous
    'mandatory' approach to licensing. Thus, as will be explained below, the
    new proposals will neither oblige service providers to obtain licences nor
    to use any particular encryption products or technologies. In addition
    there is now a clear policy differentiation between digital signatures and
    encryption; another concern of industry during the consultation process. 
    The Department in conjunction with this Statement is publishing an
    independent summary of the responses from the consultation exercise. 
    
       In recognising the international nature of electronic commerce the
    Government has, of course, been concerned that policies on encryption
    should, where appropriate, be consistent with the emerging international
    consensus. The measures announced are therefore, fully compatible with the
    OECD Guidelines on Cryptography Policy which were agreed in March last
    year; and as far as possible, consistent with the developments taking
    place in UNCITRAL (The United Nationals Commission on International Trade
    Law) on electronic signatures.
    
       The Government has also been working closely with the European
    Commission, especially in respect of our recent tenure of the EU
    Presidence, to ensure that our policy development is compatible with that
    outlined in the Commission's Communication on Encryption and Electronic
    Signatures (COM (97)503) released last October. 'We look forward to
    working with the Commission and member States on the proposed Electronic
    Signature Directive which will, we believe, foster the development of a
    Pan-European framework for cryptography services.  In respecting these
    developments the Government recognises the clear differences in approach
    that need to be afforded to the development of electronic and digital
    signature services (for integrity) on the one hand, and to encryption (or
    confidentiality) services on the other.
    
       In our efforts to promote the use of electronic signature and
    encryption services we are also working with our international colleagues
    to update and streamline the export controls on encryption products. Such
    controls, we believe, need to reflect the commercial requirements for
    robust and trusted encryption products whilst also taking account of
    national security. 
    
       We therefore intend to introduce legislation to license those bodies
    providing, or facilitating the provision of cryptography services.
    Principally these will be Trusted Third Parties (the generic term for
    bodies that provide one, or a variety of cryptography services to their
    clients), Certification Authorities (bodies which mainly issue
    certificates for electronic signatures) and Key Recovery Agents
    (responsible for facilitating the 'recovery' of encrypted data). Such
    licensing arrangements will be voluntary, as business has requested,
    although we would hope that organisations providing services to the public
    will see the benefit of adhering to a high standard, and the public
    confidence that this will bring. We intend that licensed Certification
    Authorities - conforming to the procedural and technical standards which
    such licensing will confer - would be in a position to offer certificates
    to support electronic signatures reliable enough to be recognised as
    equivalent to written signatures; an essential ingredient of secure
    electronic commerce. Licensed Certification Authorities offering secure
    electronic signature services will, we believe, make a significant
    contribution to electronic commerce. They will provide trust that the
    authentication process is reliable (ie an owner of an electronic or
    digital signature certificate is who they say they are) and consumer and
    business confidence that the signature mechanism employed is robust and
    secure.
    
       Organisations facilitating encryption services (for example through
    offering key recovery or providing key management services for
    confidentiality) will also be encouraged to seek licences. Such bodies can
    offer sound business benefits to their clients. Increasingly organisations
    are recognising the necessity of being able to recover critical data,
    which their staff may have encrypted, or the text of the messages they
    have sent to clients. In such circumstances the permanent loss of an
    encryption key - perhaps because an employee has left - could be very
    damaging. Licensed service providers that provide encryption services
    will, therefore, be required to make recovery of keys (or other
    information protecting the secrecy of the information)  possible through
    suitable storage arrangements.
    
       In developing its policy on encryption, the Government has given
    serious consideration to the risk that criminals and terrorists will
    exploit strong encryption techniques to protect their activities from
    detection by law enforcement agencies. Encryption might be used to prevent
    law enforcement agencies from understanding electronic data seized as the
    result of a search warrant or communications intercepted under a warrant
    issued by a Secretary of State. This would have particularly serious
    implications for the fight against serious crime and terrorism. For
    example, during 1966 and 1967, lawful interception of communications
    played a part - often the crucial part - in operations by police and HM
    Customs which led to 1200 arrests; the seizure of nearly three tonnes of
    Class A drugs, and 112 tonnes of other drugs, with a combined street value
    of over Pounds 600 million;  the seizure of over Pounds 700 million in
    cash and property; and the seizure of over 450 firearms. During this
    period, around 2600 interception warrants were issued by the Home
    Secretary. (In line with the practice of the Interception Commissioner,
    this figure relates to all warrants issued by the Home Secretary, not just
    those for the Police and Customs). 
    
       In response to these concerns, the Government intends to introduce
    legislation to enable law enforcement agencies to obtain a warrant for
    lawful access to information necessary to decrypt the content of
    communications or stored data (in effect, the encryption key). This does
    not include cryptographic keys used solely for digital signature purposes. 
    The new powers will apply to those holding such information (whether
    licensed or not) and to users of encryption products. They will be
    exercisable only when appropriate authority has been obtained (for
    example, a judicial warrant for the purpose of a criminal investigation
    or, in the case of interception of communications, a warrant issued by a
    Secretary of State) and will be subject to strict controls and safeguards. 
    
       The purpose of the proposed powers is solely to maintain the
    effectiveness of existing legislation in response to new technological
    developments. The powers apply only to information which itself has been,
    or is being obtained under lawful authority. The Home Office will bring
    forward detailed proposals in due course.
    
       In concluding, electronic commerce offers tremendous opportunities to
    us all; but unless we harness those opportunities in policies that are
    both balanced and internationally compatible then trust and security will
    be the losers.'
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:08 PDT