on

Detailed Proposals for Legislation

March 1997

On 10 June 1996 I announced to Parliament that the Government would be bringing forward proposals for the licensing and regulation of Trusted Third Parties for the provision of encryption services. I indicated then that a public consultation document on the Government's proposals would be issued prior to the introduction of legislation. I am pleased to be able to introduce this document to you now.

The proposals in this consultation document make a significant contribution to the Government's overall strategy for building the information society in the UK. The provision of secure electronic commerce is a key issue for business and consumers and it is important that we take positive steps to address it, if we are to ensure that everyone in the UK exploits the full potential of information and communication technologies.

The last 12 months have been a year of intense activity for Government. February 1996 saw the launch of the Information Society Initiative Programme for Business aimed at encouraging British business to improve its competitiveness by using information and communication technologies. December 1996 saw the full liberalisation of international telecoms facilities in and out of the UK, and the launch of IT for All - an exciting new programme aimed at bringing the benefits of the information society within the reach of all UK citizens. The Green Paper government.direct set out a vision for the electronic delivery of Government services. Whilst the Education Department's Superhighways Initiative continues to support a series of projects designed to raise awareness of computer networks in education.

The UK is already a world leader in the telecommunications, broadcasting and multi media industries. Business and consumers are therefore well placed to take advantage of the opportunities on offer. Despite this however, significant barriers to the take up of electronic commerce still remain.

These proposals - aimed at facilitating the provision of secure electronic commerce - are being brought forward against a background of increasing concern, not about the technology, but about the security of information itself. In a world where more and more transactions are taking place on open electronic networks like the Internet, there has been a growing demand from industry and the public for strong encryption services to help protect the integrity and confidentiality of information. These proposals have been developed to address those concerns, but at the same time are aimed at striking a balance with the need to protect users and the requirement to safeguard law enforcement, which encryption can prevent.

I believe that the proposals outlined in this paper achieve that balance. Their success though will ultimately depend on their widespread acceptance and use of Trusted Third Parties by the business community. We are therefore looking to industry to work with us in close partnership on this important issue.

I therefore urge you now to let us have your comments on this document.

TABLE OF CONTENTS

FOREWORD i

TABLE OF CONTENTS iii

SECTION I: INTRODUCTION ................................................................... 1

SECTION II: GOVERNMENT POLICY FRAMEWORK .............................. 3

SECTION III: EUROPEAN UNION & OECD DEVELOPMENTS ................. 5

SECTION V: TRUSTED THIRD PARTIES 9;

SECTION VII: MOVING AHEAD ................................................................... 19

Consultation Paper on Proposals for Legislation

• TTPs are being licensed to protect the consumer - Users will need to be protected from sub-standard TTPs. Users must also be assured of a TTPs trustworthiness, technical ability, financial stability, confidentiality of operations and ability to take legal liability for their actions.

• TTPs will be able to offer interoperability of secure services hitherto unavailable - While encryption products are available in the UK domestic market, interoperability between different products is not possible. A lack of standards for algorithms and interfacing, coupled with the high burden of key management has created a fragmented market. Today's encryption market is thus very costly. Passing the key management to TTPs and building products to a common architecture will allow access to cryptography for everyone with a PC. Encrypted communications, therefore, will no longer be limited to Governments and larger organisations.

• TTPs will allow UK Business to take advantage of secure electronic trading- The wide availability of cryptography will allow more paper based transactions to be conducted electronically. Time stamping, non repudiation, confidentiality, authentication and integrity are all necessary to install trust in the electronic age and to allow electronic contracts to take the place of paper ones.

• TTPs will also be able to offer Data recovery Services - At present, if encryption keys are lost, stolen or deliberately withheld by disaffected employees then the information will remain encrypted and may be lost to its owner for ever. TTPs will be in a position to offer recovery of the keys to their clients as they will store (or escrow) the keys.

• TTP Encryption policy will help UK manufacturers to export robust encryption within their products - Products that are designed to operate within a TTP environment will be subjected to simpler export licence procedures, thus allowing them to be exported with minimum restrictions. This increased availability will stimulate a greater demand for encryption products both in the UK and foreign markets. UK companies should be in a good position to take advantage of this.

• Use of licensed TTPs is voluntary - those wishing to do otherwise are at liberty to do so - The market will decide if it wants to use TTP services and not Government. The Government believes that the benefits of this scheme will far outweigh any others. Of course those wishing to use any other cryptographic solutions can continue to do so, but they will not be able to benefit from the convenience, and interoperability of licensed TTP services.

• UK taking lead in very important area - Many countries are currently trying to develop a cryptographic policy. Many countries agree with the UK that widespread use of cryptography must not be to the detriment of law enforcement requirements. The Government believes that this scheme is the best way to achieve this balance and that other countries may also see the benefits and follow the UK lead.

• Help to increase the Volume of electronic trading - Transactions over the Internet are forecast to reach as much as £ 22 billion by 2005. Some research suggests that the Internet will take 5 -10% of all retail traffic by 2000. Various barriers (lack of security products and standards, and poor interoperability) may impede this growth. The introduction of TTPs should help in this respect.

1. The policy considerations for HMG which have determined the scope and content of the proposed legislative headings which follow are outlined below:-

Positive Licensing regime

 

The Government believes that the positive (and individual) licensing of TTPs (i.e. the body being licensed before the service can be provided) is critical in allowing the initial assessment, monitoring and regulation of a TTP that would meet the requirements of consumer protection, trust in the market and security, intelligence and law enforcement access. Consumer trust and acceptance are paramount as it is anticipated that licensed TTPs will form the back bone of the Public Key Infrastructure in the UK which, in itself, is a critical requirement for the growth of secure electronic communication. Such licensing arrangements will, therefore, also apply to TTPs solely providing public key certification services.

1. The Government has considered other routes such as negative licensing (where bodies would be free to provide encryption services unless they breached pre-set licensing conditions) and (e.g. intra-company TTPs)

    

1. The TTP legislation will not require intra-company TTPs (i.e. organisations supplying encryption services to their own employees or those within their own Group of companies) or similar closed user groups, to be licensed. However, if within such a closed community an intra-company TTP wishes to extend its services beyond the members of the group or, if it wishes to interoperate with a licensed TTP, a licence will be required.
1. Encryption services as an integral part of another service (such as in the scrambling of pay TV programmes or the authentication of credit cards) are also excluded from this legislation.
1. The Government invites views on whether the suggested scope of an exclusion from licensing for intra-company TTPs is appropriate in this context.

Electronic signatures

 

1. Various national and international bodies are currently considering a number of issues concerning the legal recognition of electronic signatures. For example, a note on the recommendations contained in a recent report by the Society for Computers and Law on digital information and the requirements of form generally is at Annex A. In the UK, research has shown that uncertainty as to the legal effect of using electronic commerce is seen by the business community as a considerable barrier to its development. In particular, there is uncertainty as to whether a requirement in law for a signature can be met using electronic technology. The Government is currently considering how best to ensure that requirements of form laid down in statute law can be met electronically. This is likely to be a massive undertaking as it involves reviewing all existing legislation to identify those cases where use of electronic technology would not meet legal requirements of form.
1. Two separate issues which need to be considered are how the identity of the signatory of a document and the integrity of a document may be proved in legal proceedings in the UK. These issues may arise where a digital document is admissible in court and where digital signature satisfies relevant legislation. Parties to encrypted documents may be able to agree between themselves as a matter of contract law that they will accept a certificate by their TTP as to these matters in any action against each other over the contract. This would not however bind a third party and would not necessarily assist if the validity of the contract were challenged.

 

1. The Government would welcome views on whether this legislation should establish a rebuttable presumption in any proceedings that a document has been signed by the person or persons named in a certificate issued by a licensed TTP who has provided encryption services in relation to that document. A similar presumption could also apply to the certification by a licensed TTP of the integrity of a document. This would have the effect of placing the burden of proof on a person wishing to challenge the identity of a signatory of a document or the integrity of a document.

 

 

1. The Government invites views on whether, in the short term, it would be sufficient for business to rely on agreements under contract regarding the integrity of documents and identification of signatures; or whether it would be helpful for legislation to introduce some form of rebuttable presumption for the recognition of signed electronic documents.

Convention on key exchange to underpin TTP legislation

 

1. Although the legislation will require foreign TTPs offering or providing encryption services to clients in the UK to have a registered base in the UK (which will allow for the licensing of non-UK bodies with no trading presence in the UK), there will be no provision requiring UK clients to use a UK licensed TTP. They are, and will be, free to register with foreign TTPs. It will therefore be necessary (for law enforcement purposes) to establish arrangements with other countries for the exchange of keys. The UK Government believes that these arrangements will be on the basis of dual legality i.e. whereby the criteria for access is satisfied in both countries. The keys held by UK licensed TTPs will not, under this legislation, be permitted to be disclosed to the authorities of other countries unless such requests satisfy UK law and are authorised by the competent UK authority. A fuller description of such arrangements is at Annex B.

 

Licensing Criteria & Conditions

 

1. It is intended that the licensing conditions, as opposed to the criteria on which licences will be granted, will not be prescribed in the legislation.

 

LEGISLATIVE HEADINGS

Licensing Regime

 

1. The legislation will provide that bodies wishing to offer or provide encryption services to the public in the UK will be required to obtain a licence. The legislation will give the Secretary of State discretion to determine appropriate licence conditions.
1. The DTI has been chosen as the initial authority for the licensing, in view of its experience in licensing telecommunications operators. Further consideration will be given to whether the on-going enforcement task in relation to these licences will also be handled by the DTI, or whether it will be delegated. The legislation will include provisions to allow both licensing and on-going enforcement to be delegated to a responsible designated body. More detail about the structure of the regulatory arrangements will be included in the further statement referred to in paragraph 3 above.
1. The duration of licences will be a minimum of five years. Licence fees will be payable both on the grant of a licence and annually thereafter to meet the cost of their issuing and enforcement.

 

1. The Government invites views on the appropriateness of these arrangements for the licensing and regulation of TTPs.

 

 

Licensing Criteria & Conditions

 

1. As noted above the DTI or a designated body will be responsible for determining, and enforcing compliance of TTPs with, the licensing conditions. DTI will consult with other government departments and organisations on the practical, legal or technical details as necessary.

 

1. Before the Licensing Authority will deem an organisation fit to receive a licence to provide encryption services, it will need to be satisfied as to, inter-alia:-

• competence and trustworthiness of information security personnel
• competence and trustworthiness of directors
• competence of information security management
• technical assurance of IT security equipment used for key management and storage
• adherence to quality standards and procedures
• adequate liability cover
• ability to meet legal access conditions
• the TTP's business plan and longevity of interest in market
• isolation of TTP function from other business functions
• interface requirements to other Licensed TTPs
• structure and ownership

1. Annex C outlines in more detail the thinking behind the above criteria and seeks comments and suggestions on their appropriateness. A register of the holders of TTP licences, and the licences issued should be publicly available.

 

1. The licence conditions will include such conditions as are necessary to ensure continued adherence to the licensing criteria. This may include-:

• provision of quality services to public
• demonstration of co-operation to authority under legal access conditions
• adequate co-operation with other licensed TTPs

1. The Government seeks views on the proposed conditions.

 

Exclusions

 

1. Encryption that is used solely in the protection of a business service (e.g. in pay TV systems or in payment systems), or encryption services that are provided only to the employees of the service provider or those in the same group of companies (see footnote 5) are outside the scope of this legislation.
1. For example, a home banking service offered by a bank to its clients, which included a cryptographic functionality designed to protect the banking transaction between a client and the bank, would not be covered by this legislation. However, if the bank wished to extend the cryptography's functionality and allow client to client communications, then this service would be covered by the legislation, and the bank would need to apply for a licence. Another example, of an excluded service, would be the key management and certification services that might be offered by providers to credit card companies to authenticate the users of their cards.
1. Similarly, an employer offering cryptographic protection between its employees, (whatever the functionality) would not be covered by this legislation. However should it decide to extend the protection service to its suppliers, then it would require a licence.
1. In many cases such "intra-group" TTPs are likely to seek a license given their need to interoperate with organisations outside their own organisation, or with clients of a licensed TTP.
1. The Government invites comments on whether specific exemptions for particular organisations offering encryption services may be appropriate, depending on the nature of services offered.

 

1. The Government also invites comments on whether it is thought desirable to licence the provision of encryption services to businesses and citizens wholly outside the UK.

 

Prohibitions

 

1. The legislation will prohibit an organisation from offering or providing encryption services to the UK public without a licence. Prohibition will be irrespective of whether a charge is made for such services. The offering of encryption services to the UK public (for example via the Internet) by an unlicensed TTP outside of the UK will also be prohibited. For this purpose, it may be necessary to place restrictions on the advertising and marketing of such services to the public.
1. The legislation will be framed so as to give existing providers of encryption services time to obtain licences, as TTPs, before the prohibitions outlined above come into effect.
1. For the purposes of this legislation the terms public and encryption services will encompass the following meanings:

• Public will be defined to cover any natural or legal person in the UK.
• Encryption services is meant to encompass any service, whether provided free or not, which involves any or all of the following cryptographic functionality - key management, key recovery, key certification, key storage, message integrity (through the use of digital signatures) key generation, time stamping, or key revocation services (whether for integrity or confidentiality), which are offered in a manner which allows a client to determine a choice of cryptographic key or allows the client a choice of recipient/s.

1. The legislation will also prohibit a UK licensed TTP from contracting with any non licensed TTP for the purposes of carrying out encryption services. In order to build up a TTP network it may be necessary from time to time for UK licensed TTPs to recognise non-licensed bodies from other countries where no licensing regime exists. In such cases recognition should not be given to an unlicensed body until the UK licensed TTP is satisfied that such recognition would not put at risk its ability to meet any of its obligations under this, or other, legislation, or international obligations (such as those concerning data protection).

 

Legal Access

1. The legislation will provide that the Secretary of State may issue a warrant requiring a TTP to disclose private encryption keys (protecting the confidentiality of information) of a body covered by that warrant. Under such legal access arrangements, there will be safeguards broadly similar to those in the Interception of Communications Act 1985, under which a Secretary of State may issue a warrant requiring the interception of communications
1. For the purposes of legal access, a central repository might be nominated or established by the UK authorities. The purpose of this central repository will be to act as a single point of contact for interfacing between a licensed TTP and the security, intelligence and law enforcement agencies who have obtained a warrant requiring access to a client's private encryption keys. The central repository would, therefore, be responsible for serving the warrant (whether by physical or electronic means) on the TTP and distributing the encryption key to the appropriate agency.
1. It is envisaged that a warrant would require a TTP to disclose, in a timely manner, cryptographic key material to a central repository (acting on behalf of an agency). It is envisaged that it should take no more than an hour for a TTP, once presented with a validated warrant request, to deposit the appropriate client encryption key(s) with the central repository. The procedures and methods to enable such timely disclosure will be determined between the licensed TTP and the central repository. The costs of obtaining a warrant and serving it on a TTP, as well as the direct costs of the TTP complying with such a request, shall be borne by the appropriate agency. Costs of implementing and maintaining the technical capabilities for legal access shall, however, be borne by the TTP.
1. In order to comply with the above legal access provision, TTPs will be required:-

• to have the ability to deliver cryptographic key material by secure electronic means to a central repository on receipt of a validated warrant.
• to demonstrate the ability to recognise a duly authorised warrant served by the central repository, and to comply only with such a warrant.
• to be responsible for facilitating all measures necessary for legal access.
• to keep auditable records of legal access requests.
• at all times, not to deliberately or negligently jeopardise the integrity of any legal access request, or to disclose the identity of the target of such a request.

Paragraph 93 - Whether the proposed duties of an independent Tribunal are

96. The Government will need to consider the comments received and, in some cases, discuss them with their originators. A summary of comments will be published prior to the introduction of legislative proposals, subject to requests for confidentiality.

1. The emergence of electronic commerce will, to a large extent, be determined by the market both in terms of the availability of technology and the trust business has in it. Governments can, however, help to facilitate secure communications by helping to provide the appropriate regulatory and legal infrastructures. Apart from the licensing of Trusted Third Parties, which the proposed legislation will deal with, Governments may also wish to ensure that electronic communications, especially when used for electronic contracts, can be legally recognised. Although electronic "partners" may well be prepared to contract with one another on the basis of "trust" (as many organisations do already) there is a perception that some form of legislation should underpin the basis of this electronic communication. For example, if there were a dispute on the alteration, or disclosure of a message, recourse to the courts may well be appropriate.

 

1. In recognition of the possible need to introduce new, or amend existing, legislation to allow for the recognition of digital transactions, and particularly digital signatures, the Government has welcomed the work of the Society for Computers and Law. The group, co-ordinated and facilitated by the Commercial Law Unit at Queen Mary and Westfield College has examined whether current English legislation may prevent electronic contracts being enforced; and - if so - what steps might be taken to address the issue. It was recognised that Scottish law, which is different in some respects, would have to be, and is being, looked at separately.

 

1. The Group has now made the Government aware of their findings on both of the above counts. To answer the first question the Group analysed those terms in legislation which pertained to the transmission of electronic information. They thus considered whether the existing usage of words such as "information", "document", "recording", "writing" and "signature" had meanings, in their legislative context, which could extend to digital electronic information. Basically, they found that all the above terms, and others, could be extrapolated to cover electronic information apart from the terms "signatures", "writing" and (more obviously) "physical writing". These latter terms, they suggested, had meanings which generally pertained to the "physical " world of documents and ledgers, rather than to the electronic one. Thus they suggested that by altering, or perhaps extending the general meaning of these words, it would be possible for future legislation to be electronic proof (so to speak). For existing legislation, however, the Group concluded that piecemeal change would probably be more appropriate. This being based on the vast amount of exiting law which has references to "writing" and "signatures" in, and the realisation that some of this body of law may actually require physical actions (such as a signature in writing for some legal processes).

 

1. In light of these findings, DTI, and other interested parties, may now wish to consider whether these measures, or any others should be taken forward. Introducing changes to the above terms through the use of the Interpretation Act (as recommended by the Group) is a complex matter and would, necessarily require primary legislation. Government will also no doubt consider whether, and if so how, the further (and perhaps even more difficult) task, of examining the current legislation - to see where the terms "signature" and "writing" need amending, can be taken forward.

 

1. These are complex issues and cannot be rushed. Such changes will possibly help to underpin secure electronic commerce for a long time to come. We cannot afford therefore to get it wrong.

 

1. The picture is further complicated by the fact that electronic commerce is global in nature. The contracting parties will - possibly in the majority of cases - not both be in this country and therefore the law of a different jurisdiction may also be relevant. In recognition of this a number of different bodies (both public and private) as well as different Governments, are contemplating issues of digital signature recognition. Perhaps the most important is the work being undertaken by the United Nations Commission on International Trade Law (known as UNCITRAL). The latter set up a working party 1995 to try and develop a "Model Law" which would aid members in developing compatible and broadly similar legislation. This being on the simple basis that issues such as dispute resolution, may be easier to handle where legislation is broadly similar, rather than totally different. The "Model Law" has now been published and has already formed the basis of legislation in a number of US States. The Group's recommendations, noted above, is also broadly compatible with the UNCITRAL approach. Work at the UN, however, does not stop with the Model Law. A new working group of UNCITRAL has now been commissioned to look at the process of using digital signatures. They will be exploring such issues as the role, and responsibilities of Certification agents, and how the legal certainty of a signature relates to the technological process being used to sign data.

 

1. Another initiative has come forward from the American Bar Association (ABA) who have produced their own legal guidelines on both the use and recognition of digital signatures. The European Commission has also recently initiated a number of studies of the legal recognition of digital signatures perhaps as a forerunner to the emergence of guidelines of their own.

 

1. The DTI, and other interested Government Departments, will take note of these developments in considering what steps we need to take.

1. If the UK and other countries adopt a system of Trusted Third Parties (TTPs) providing confidentiality services including encryption on a key escrow basis, it will be open to encryption users to register with a TTP abroad. Unless workable arrangements are in place for the authorities to gain access to keys escrowed with TTPs in other countries, criminals may choose to register with TTPs abroad in order to evade national legislation providing for access to keys held by TTPs licensed in their own country.

2. Direct access to TTPs by foreign authorities would raise a number of concerns, for example:

• the host country might be concerned that access to certain encrypted data might be detrimental to its national security and economic well-being;

• in the law enforcement domain, keys might be sought in connection with the investigation of offences abroad which would not be serious enough to justify interception or key access under the host country's own legislation;

• any indication that key access might be inadequately controlled could undermine the confidence of the public and industry in the integrity and security of TTPs.

3. To meet these concerns the host country's authority would need to have full information on the foreign authority's case for seeking disclosure of keys, in order to enable a decision to be taken on whether or not to serve a warrant on the TTP.

4. It has been suggested that some of these concerns might be met if, rather than permitting the release of encryption keys at the request of a foreign authority, international arrangements provided for the passing of plain text of decrypted material.

5. Provision of plain text may be adequate where the need is for decryption of stored material seized for evidential purposes. Arrangements for the provision of plain text in such cases might be pursued through:

• bilateral agreements, or;

• (where plain text is required for evidential purposes) agreements based on existing arrangements for mutual judicial co-operation.

6. However, the provision of plain text is unlikely to be practical where the need is for urgent decryption of intercepted communications or decryption of stored data to provide time critical operational intelligence. In these cases arrangements for the release of keys to the requesting authority would be required.

7. Arrangements for lawful key access need to:

• create an enforceable obligation on TTPs to disclose keys when required to do so;

• protect TTPs from any criminal or civil liability which might arise from the disclosure of keys.

8. These aims would need to be achieved by national legislation in the state which has jurisdiction over the TTP's actions. If it is accepted, as argued in paragraphs 2 - 4 above, that there should not be a system of automatic recognition of warrants from foreign authorities, then the legislation would need to provide for the issue of a national warrant by the competent authority in the "receiving" state, within an agreed framework of arrangements for international co-operation. It is recognised that this sort of procedure will introduce some delays into the process of obtaining keys, but these should be considerably less than those which would arise from the provision of plain text.

9. The criteria for granting a key access request from another state might be:

• the request has been made by a recognised competent authority in the "requesting" state (this might be an executive or a judicial authority according to the law of the requesting state);

• the request discloses information which satisfies the competent authority in the receiving state that the release of keys is required for the prevention or investigation of serious criminal offences, or in the interests of the national security or economic well-being of the requesting state;

• the request satisfies the competent authority in the receiving state that release of the requested keys would not adversely affect the national security or economic interests of the receiving state or any friendly state;

• the receiving authority is satisfied that there are adequate arrangements in the requesting state for ensuring that keys are held securely, not used for purposes other than those disclosed in the request, and are destroyed when no longer required.

10. The international arrangements could be provided for either by bilateral agreements or a multilateral convention. The commitments created by any convention should ideally be the minimum necessary to achieve the desired effect:

• states would be required to have legislation in place to enable them to consider requests for key access from other states which are parties to the convention;

• the competent authority to determine a request from another state should be a matter for national legislation;

• the authority in the receiving state should not be required to agree to any request unless the criteria of its national law on key access are fulfilled;

• a refusal by a competent national authority to comply with a request from another state should not be reviewable by any international tribunal.

0. Competence of information security personnel.

0. Competence of directors.

0. Competence of information security management.

0. Technical assurance of IT security equipment used for key management and storage.

0. Adherence to quality standards and procedures.

0. Assessment of business plan and longevity of interest in market.

0. Isolation of TTP function from other business functions.

0. Interface requirements to other Licensed TTPs.

0. Company structure and ownership.

Anyone who wishes to have secure communication between two parties, particularly those that have never met.

No. The market will decide if it wants to use TTP services. Those wishing to do otherwise will be at liberty to do so.

Any commercial or non-profit organisation would be eligible provided that it can meet the appropriate licensing conditions.

A network of TTPs, operating to a common architecture should present significant benefits. For example, availability and interoperability of encryption products; a supporting infrastructure that facilitates international public key certification for authenticity, integrity, and confidentiality; expensive and complex key management tasks and secure backup facilities to prevent irretrievable loss of information. Secure communication between unknown parties, without the need to depend on either expensive or multiple solutions, will become common place and thus lead to increased confidence and use of the information society.

There should be no less reason to trust a TTP than there is to trust, for example, a bank. A licensing regime will help to ensure that only reputable service providers are able to become TTPs. It is important to note that whilst a TTP will hold private confidentiality keys in escrow, it will not normally have access to the encrypted traffic as this will be sent by the user over whichever telecoms network he chooses.

Government departments will need TTP services as much as other organisations, especially where business is transacted with the public.

Given the position of trust that a TTP would hold, and the importance its clients will attach to their reliability, some form of regulation of the activities of a TTP is necessary if only to protect the public.

No, but any foreign TTPs offering services in the UK will need to meet the UK licensing conditions.

No. For use in the UK that is an issue for the market to decide.

As is made clear in Mr Taylor's statement on 10 June 1996, the DTI will conduct more formal consultation with all interested parties prior to introducing legislative proposals. This consultation paper forms the major part of that ongoing consultation process.

After this consultation period is complete and at the earliest opportunity in the legislative programme. Other circumstances permitting, we hope to bring forward legislative proposals during the next Parliamentary session.

No. Electronic commerce is global in nature and the international perspective needs to be fully taken into account. The UK approach is consistent with ideas being discussed in other fora such as OECD and the European Union.

Where a warrant has been obtained under due process of law, TTPs holding secret confidentiality keys will be required to release them to the law enforcement authorities.

No. It is important to be clear that it is not envisaged that the encrypted communication would be routed via the TTP. Nor will the TTP encrypt the message, it will merely assist (depending on the service offered) in the very complex area of key management or Key Certification.

Criminals will often make use of whatever technology is conveniently available to them. We expect TTPs to have a major role in conveying secure electronic communications, especially where a payment for legitimate services is involved.

No. The UK accepts that businesses have a need to safeguard both the integrity and confidentiality of their information, and is keen to find effective means of meeting this need. The TTP approach will provide such a means, but in a way that would also meet another important need, namely to preserve the effectiveness of the existing powers to intercept communications. Similar safeguards to those that already exist under the Interception of Communications Act 1985 will be established. Widespread encryption has the potential to make legally intercepted messages unreadable, to the detriment of all law abiding citizens.

Products for specific use within a licensed TTP network should not create export difficulties. The fact that they would be for use under such a system should allow them to be exported with minimum restrictions being applied.