OFTEL, the telecommunications regulators, has begun to set out its new role as regulator for Certification Authorities (CAs) or trusted third parties in its March 1999 memorandum “Trade and Industry Select Committee: Inquiry into Electronic Commerce” (available at www.oftel.gov.co.uk/superhwy/tisc0399.htm).
The memorandum, published before the long-awaited e-commerce Bill, also provides some further insights into the Bill’s provisions.
EU Electronic Signature Directive
The Directive is in the final stages of negotiation and is likely to achieve formal adoption in the second half of 1999. It proposes a voluntary licensing framework for CAs, the main features of which are:
• defining the requirements for those signatures that are to be recognised as legally equivalent to those which are handwritten
• prohibiting prior authorisation of bodies providing signature services – which means no mandatory licensing system
• permitting the establishment of voluntary accreditation schemes with a view of promoting high standards
• prohibiting discrimination against non-accredited signature providers
• requiring member states to take appropriate measures to ensure the supervision of all signature providers in terms of compliance with the Directive’s requirements
Electronic Commerce Bill
OFTEL is being consulted on the drafting of the DTI’s consultation paper on the Bill. The features that are relevant to OFTEL’s proposed role as licensing authority are as follows:
• It will create voluntary licensing framework for cryptographic services, which include electronic signatures and confidentiality services.
• The Bill will introduce a legal presumption that signatures from accredited providers should be considered to meet all requirements for legal recognition.
• It will go further than the Directive by extending the voluntary licensing regime to cover the management of encryption keys to provide a confidentiality service.
• For confidentiality services, it will recognise the different nature of these services by imposing different requirements from those placed on signature services.
• The criteria for accreditation are not likely to be set out in the Bill – they are likely to set out in secondary legislation.
• It will establish a licensing authority to carry out the accreditation process, issue licences and enforce compliance with any conditions attached to the license. Some of these functions may be delegated while some may be retained by the DTI.
OFTEL’s role as licensing authority
OFTEL cannot be precise about the nature and extent of its role at this stage. However, it envisages that it will cover:
• initial vetting and accreditation
• ongoing supervision on a regular or “spot-check” basis
• investigation of complaints
• enforcement where requires standards have not been met
Is OFTEL the appropriate licensing authority?
OFTEL believes so because:
• it already regulates enhanced telecommunications services
• encryption services involve peculiar “networked” characteristics of telecommunications services
• at a procedural level there are similarities with OFTEL’s role in approving material systems for PTOs
• it has considerable experience as both a competition body and consumer protection body
• OFTEL already works closely with the DTI and Home Office on security matters
OFTEL’s memorandum is a useful insight into the long-awaited e-commerce Bill. There are few surprises. From an e-commerce point of view, it is unfortunate to see reference to cooperation with the Home Office which presumably means giving the authorities access to encryption keys in the circumstances envisaged by the DTI statement on “Secure Electronic Commerce” of April 1998.
The controversy over this privacy issue looks set to continue.
Electronic Business Law
April 1999
Vol 1 Number 3