Intel Corporation (UK) Ltd welcomes the Consultation Paper as providing an opportunity for the Government to become fully appraised of the views of business and the public on encryption.
We have both general and specific concerns with the proposals as they currently stand. These are set out below and summarised in Annex 1. Overall, we believe that the proposals will not deliver the intended aims and that further consultation would help develop the Government’s policy. We would be happy to take part in that consultation.
We are content for the comments to be published within the context of a Summary of Comments referred to in paragraph 8 of the Paper’s introduction.
The Consultation Paper makes it clear that the policy proposals stem from the need to provide:
We note that the proposals relate only to the regulation of trusted provision of encrypted services and will not mandate or prohibit any aspect of the use of products containing cryptographic functionality.
We support the principles that led to the proposals. Until consumers and businesses trust that their Internet transactions are private and secure, the Internet will not become a viable business conduit. Building trust and confidence among businesses and consumers implies the deployment of secure technologies and of a predictable legal framework to support these technologies.
However, Intel strongly believes that governments should not limit the use, export and import of strong cryptography products and should not mandate that corporations place their keys in the of hands of government agencies or government-approved entities. Government controls on encryption create competitive inequities and undercut the international premise of the Internet.
Legislation to address the cryptography problem must be technology-neutral - there is a danger that overly specific laws promoting a specific approach to cryptography, such as advocating Trusted Third Parties (TTPs), will enshrine current technology, and also restrict innovative computing schemes which could contribute more appropriately to the delivery of the overall aims.
In March 1997 the OECD adopted and issued guidelines to countries formulating their own polices and legislation relating to the use of cryptography. We note that the guidelines acknowledge that cryptographic policies should allow "lawful access to plaintext, or cryptographic keys, of encrypted data", but that there is no presumption that one method of securing access is preferred over another.
In April 1997, the European Commission issued a Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions entitled ‘A European Initiative in Electronic Commerce’. The aim of the Initiative is to encourage the vigorous growth of electronic commerce in Europe. As with the OECD guidelines, there is no preference in the Communication for a specific approach to cryptography issues eg. TTPs. Rather, there is the acknowledgment that there should be ‘no regulation for regulation’s sake’, and that any legislative action should impose the fewest possible burdens on the market and keep pace with market developments.
The Commission also states that it will work at international level ‘towards the removal of trade barriers for encryption products’. It is therefore imperative that any national proposals should not offend this Single Market principle and throw up barriers which directly or indirectly restrict the free movement of encryption technologies and trade in encryption products.
The Consultation Paper was released during the term of the last Government. When in opposition, the current Government set out its strategy for building the information society in the UK in a paper entitled ‘Communicating Britain’s Future - Labour’s policy on the superhighway’.
That document espouses a different policy to that set out in the Consultation Paper; in particular the document states ‘the only power we would wish to give the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant’.
We understand that the new Government has not yet declared whether it intends to pursue its stated policy or adopt the proposed policy in the Consultation Paper. In the light of the concerns expressed above, we would ask the Government to assure itself that:
We have doubts that the current proposals would meet these four criteria, and believe that the Government should look afresh at the issue, whilst continuing to consult business and the public.
We take the proposals as relating solely to the provision of encryption services to the public. This is not as clear in the text as it should be, howev
The Paper asks for views on the scope for ‘exclusions’ (para 50) and also on ‘exemptions’ (para 70) from the licensing requirements. It is not clear whether a difference is envisaged in law between an exclusion and an exemption; for instance would organisations have to apply for an exclusion because they fall within the scope of the law, whereas exempt organisations would not have that burden?
Paragraph 48 states that TTP legislation will not require intra-company TTPs or similar closed user groups to be licensed. As there is no clear definition of ‘similar closed user groups’ it is not certain whether arrangements which are equivalent to an intra-company supply of encryption services are excluded; for instance:
We read the proposals as already excluding such arrangements, however, since Paragraph 66 states ’Encryption that is used solely in the protection of a business service are outside the scope of this legislation’. But the examples given suggest this may not be the intention - a bank supplying encryption services to its clients is excluded, but (in para 68) an employer offering cryptographic protection to his suppliers would need a license.
Widening the proposals beyond the provision of encryption services to the public to include any company-to-company information transfer would be intrinsically burdensome. Organisations build trusting relationships with clients, suppliers, collaborators, even competitors as part of everyday commercial life. That trust is self-regulating.
The increasing use of electronic communication between organisations suggests that if the proposals were to be applied to company-to-company communication, they would, over time, require practically every company in the UK, and most overseas companies using UK companies in partnership agreements, to be licensed. Such a scenario would not help the Government achieve its wider policy aims for building the information society in the UK. We would therefore welcome a clearer statement on the scope of the proposed legislation.
As the proposals point out, giving electronic signatures legal effect requires the amendment of many articles of UK law. This could be a lengthy process. But without legislation, doubt as to the status of such signatures could restrict trade, or add costs as businesses make other provisions to ensure contractual validity.
However, framing proposals on contractual law within the proposals for TTPs is, to an extent, trying to catch an elephant with a mousetrap, and might not be the best way to deal with this issue. We would support moves to address this issue in an EU context to ensure consistency among Member States; the forthcoming UK Presidency of the EU might provide an opportunity.