The regulation of electronic commerce: learning from the UK's RIP act

National governments have a legitimate rôle to play in the development of national strategies to support electronic commerce. It is not always clear, however, what any electronic commerce legislation should incorporate or how regulation of electronic commerce should be implemented. This paper explores the strategic issues that underlie national electronic commerce strategies by following the passage of a particular piece of legislation (the UK’s Regulation of Investigatory Powers Act, 2000) through Parliament. In identifying some of the arising strains with the interests of industry and civil society, this paper will discuss some of the legal, technological, economic, and political issues that may arise in other countries as they consider the policy habitat of electronic commerce. The regulation of electronic commerce: Learning from the UK’s RIP Act Abstract National governments have a legitimate rôle to play in the development of national strategies to support electronic commerce. It is not always clear, however, what any electronic commerce legislation should incorporate or how regulation of electronic commerce should be implemented. This paper explores the strategic issues that underlie national electronic commerce strategies by following the passage of a particular piece of legislation (the UK’s Regulation of Investigatory Powers Act, 2000) through Parliament. In identifying some of the arising strains with the interests of industry and civil society, this paper will discuss some of the legal, technological, economic, and political issues that may arise in other countries as they consider the policy habitat of electronic commerce.National governments have a legitimate rôle to play in the development of national strategies to support electronic commerce. It is not always clear, however, what any electronic commerce legislation should incorporate or how regulation of electronic commerce should be implemented. This paper explores the strategic issues that underlie national electronic commerce strategies by following the passage of a particular piece of legislation (the UK’s Regulation of Investigatory Powers Act, 2000) through Parliament. In identifying some of the arising strains with the interests of industry and civil society, this paper will discuss some of the legal, technological, economic, and political issues that may arise in other countries as they consider the policy habitat of electronic commerce. Introduction Electronic commerce is perceived as an important element of most developed economies. As a result, most governments are taking an active rôle in determining the regulatory environment surrounding the implementation and development of electronic business. The choice of regulatory intervention depends upon the form of the political economy in the particular jurisdiction together with perspectives on how and why regulation should be implemented for this form of economic activity. This paper seeks to explore the complexity of developing a regulatory environment or habitat (Hood 1994) for electronic commerce. It does this by focussing on a particular piece of legislation from the United Kingdom, the Regulation of Investigatory Powers (RIP) Bill that received the Royal Assent on July 28 2000. This can be seen as one of the strategic measures undertaken by the British government in an effort to provide a level playing field for electronic commerce in the United Kingdom. The Bill was one of the most highly contested pieces of legislation to be placed before the British Parliament in recent years. From the outset, the government argued that it was well thought out, having been the result of detailed engagement with “serious commentators” (Clarke 2000b). However, the business community, and privacy advocates, undertook a major political activity to try and change the legislation in a number of its key areas, suggesting that despite the best efforts of the government, there were still many viewpoints on the process that hadn’t been understood properly or taken into account fully. The controversy surrounding the introduction of this piece of legislation indicates the inherent complexities surrounding the regulatory habitat (Hood 1994) for electronic commerce. The Bill highlighted the conflicting requirements of secure communication and access requirements of law enforcement agencies; the problems of legislating in a rapidly changing technological environment; the need to minimise the costs and risks of any proposed legislation; the goal of maintaining the human rights of those affected by the legislation; and doing all this in a global context. In order to understand these issues the paper draws on theories of regulation. Research on regulation typically seeks to address three main questions: Why is regulation introduced for an area? How is the form of the regulatory intervention determined? How is the process of introducing and implementing the regulation managed? This paper presents the case of the British governments’ attempts to arrive at a regulatory regime, and how the strategies shifted due to conflicts and opposition. This is particularly observable within the process of passing the RIP Bill, which is then investigated in detail, through media, public, and Hansard. The next section reviews the traditional arguments for government intervention through regulation and introduces the key issues that any understanding of regulation must address. Some initial responses to these issues are then presented, before reviewing the broader context of policy making on cryptography in the United Kingdom. This policy debate led to the RIP Bill and the paper then reviews the decisions made about the research method before describing the Bill in Parliament and the issues it raised. Through a presentation of the Parliamentary debate, the paper highlights those areas of the Bill that were changed and the reasoning behind the changes, together with those aspects that were left unchanged despite protestation. The paper ends with a discussion of the lessons learned about the regulation of electronic commerce from the experience of the RIP Bill. Governments, regulation and electronic commerce Despite the increasingly global nature of business (Braithwaite and Drahos 2000), which some see as limiting the rôle and scope of governmental action (Angell 2000) (Beck 2000), it is still the case that governments play an important rôle in the regulation of domestic affairs. All businesses are tied to local environments and hence to local legal frameworks, whether they are brick and mortar firms or new organisations undertaking electronic commerce. These legal factors govern all aspects of business, from matters of incorporation and taxation, through mundane issues of the lease or purchase of commercial property, to issues associated with the particularities of electronic commerce. Even the internet, often seen as borderless, is susceptible to ‘unilateral’ action taken by local governments. For example, the Bavarian Court ruling on the content provided by CompuServe (Goldsmith 2000 p.142) and the French ruling against Yahoo! banning the sale of offensive memorabilia on its auction sites (Akdeniz 2001) had impacts far beyond the local jurisdictions ‘covered’ by the rulings which may give rise to conflict over jurisdictions (Court Ruling 2001). Multilateral action, taken by groups such as the G8 (G8 1997) and the Council of Europe (Council of Europe 2001) can also affect internet activities and even infrastructure design. The notion of government intervention in commercial activities is not new; in the United Kingdom it can be traced back to the Tudor and Stuart periods. Regulation has been articulated as serving ‘the public interest’, especially when traditional market mechanisms are not believed to be working properly. To be credible, however, any form of regulation has to be more effective than the market mechanisms it replaces, as the costs of ensuring compliance can be considerable (Baldwin, et al. 1995). Government intervention as a result of new technology is not new either. Contemporary literature in most disciplines discusses technology as a disruptive force to the status quo. The regulation literature notes that information technologies can change the nature of regulated industries, as in Peltzman (Peltzman 1989) on the sources of pressure for deregulation, being ... changes in the ‘politics’ and changes in the ‘economics’ of the regulated industries. Political change includes such things as shifts in the relative political power of contending groups and changes in the underlying organization and information technologies. (p.108) Peltzman continues that technology is a disruptive force on regulations ranging from interest–rate regulation (p.121) to telecommunications regulation (p.117). Likewise, Hood (Hood 1994, p.11) reports on various theories on the reversals of policy, including the cause of a ‘loss of policy habitat’ that can be a result of ‘structural changes’ such as the change of technology. As a result, applying a regulatory regime to a new domain, such as electronic commerce even with its changing technological environment, may seem natural. Within a specific proposed regime, there are challenges that may arise, and conflicting goals may become apparent. Interrogating regulatory intervention Baldwin and Cave (1995) introduce the following framework for interrogating a new regulatory intervention: Why is regulation introduced for an area? How is the form of the regulatory intervention determined? How is the process of introducing and implementing the regulation managed? Using this framework, the paper will identify some issues surrounding electronic commerce regulation. Questioning the need to introduce new regulation In traditional industries, regulation is often considered for monopolies; to address ‘windfall’ profits; to manage externalities and information asymmetries; to ensure continuity or availability of service; to control excess competition; for public goods and situations of scarcity and rationing and for circumstances where bargaining power is unevenly distributed or for other social policy aims (Baldwin, et al. 1995). Regulation is also considered necessary in order to be consistent with existing statutes and other regulatory regimes, especially in the light of technological changes. This can take the form of introducing regulation for the first time, for example, the introduction of the 1984 Data Protection Act; or as is common in Europe, updating and introducing new legislation as a consequence of other Acts and international agreements. For example, the Council of the European Union 1995 Directive on data protection (European Union 1995) required implementing new harmonized regulations in member countries on data protection and therefore the 1984 Act was superseded by the 1998 Data Protection Act. Furthermore, such previous regulations are often updated, in order to consider varying technological environments (European Union 1997) or due to changes in the technological environment (European Union 2000). Therefore, new regulation is introduced to maintain consistency with existing regimes, and to cater for new technological developments. Determining the form of new regulation There are a variety of regulatory interventions that are possible, with varying levels of control exerted. Excluding the laissez faire ideal, at one end of an interventionary–spectrum is self regulation, where the government delegates the task of regulation to the industry itself. This is particularly common in media regulation where governments do not wish to be seen to be controlling the media; and is effectively the policy in the United States with regards to privacy legislation because of fears of hurting the market with onerous legislation (Armey 2001, Hahn 2001). At the other end is regulation through statute and the creation of regulatory bodies. In the United Kingdom, regulation is often enforced by specially created regulatory offices, such as OFWAT for the water industry (OFWAT 2000), OFSTED for standards in education (OFSTED 2000) and OFGEM for gas and electricity supplies (OFGEM 2000). Between these extremes other forms of intervention also exist, such as voluntary regulation, licensing and co–regulation (Baldwin, et al. 1998). Questioning the process of introduction and implementation The means by which regulation is introduced varies between political systems. In the United States, the emphasis is on due process and open hearings, whereas in the United Kingdom a system of closed negotiation and confidential hearings is preferred. In the light of the recent controversies surrounding BSE related health scares (Seguin 2000), there are proposals for reform to the British approach. The British approach results in a cheaper and quicker process than the US, although there is a risk of haphazard decision making as the various interests are heard together, rather than through separate hearings (Baldwin, et al. 1995). Initial considerations When these questions are addressed to the environment of electronic transactions, certain issues become apparent immediately. For example, one of the factors influencing the need for new regulation is to maintain the traditional powers of the state (Hosein 2001). When new regulation is applied for electronic commerce, there is a need to ensure that such interests are addressed within the new regulatory habitat. Although other forms of intervention such as voluntary regulation, licensing and co–regulation were considered in the UK, they were deemed inadequate due to the nature of the market considered and the effectiveness in meeting the Government’s goals. When the Department of Trade and Industry (DTI) was directly responsible for the electronic commerce strategy, and statutory intervention, it considered establishing licensing regimes. As the responsibility shifted to the Home Office, a different form of intervention was settled upon with the introduction of the RIP Bill. That is, a statutory intervention effecting obligations on the individual and industry was selected as the only effective way of meeting the interests of the British Government. As a result, we notice that the selection of the ideal body for managing the British electronic commerce policy was in itself a challenge. Responsibilities shifted between economy–minded institutions and executive institutions: in the United Kingdom it was from the Department of Trade and Industry, to the Cabinet Office, and ultimately the Home Office. In common with many areas that are to be regulated, electronic commerce does not fall naturally within the scope of any one department and so political choices need to be made as to who will take ownership of the regulations and see them through parliament and beyond (Baldwin 1999). This is in direct contrast to the United States where policy on cryptography began in national security institutions, and moved gradually to those relating to commerce. The choice of body and the nature of intervention also affects the process. While the United States has an open process of testimonies to Congress and public media lobbying, the British discourse was remarkably different. When the DTI was responsible for the strategy, the process involved public consultation documents and submissions. After this did not result in the government's desired outcome, the Home Office assumed responsibility, but in so doing limited much of the contentious discussion by releasing the RIP Bill for consideration in Parliament without significant prior consultation on the issue of encryption. As a result, the greatest proportion of the debate occurred within the Parliament (between parliamentarians rather than within the public domain), and surprisingly more so within the House of Lords, an institution that is often felt to be disconnected with the public. This resulted, again surprisingly in a great deal of last minute amendments to settle some of the interests of industry and advocates. Beyond the framework: Further considerations A further issue that is looming behind all of these considerations is globalization. The global nature of business also means that governments must act with an appreciation that any actions they take may have effects outside their borders. While this is not necessarily new (and has often been a consideration in taxation policy, or international judgements (Hague Conference On Private International Law 1999)), it is argued below that the electronic commerce infrastructure may enable cross–border technical and organisational designs and implementations. In particular, if governments make the environment less amenable to internet–based companies then they can relocate, with greater ease than traditional companies, to other locations outside that particular jurisdiction, with knock–on effects for the local economy (Angell 2000). These ‘knock–on effects’ will affect the varying interests of the state, including economic growth and taxation, as well as surveillance capabilities. To conclude, introducing a new regulation involves many strategic issues, and this may be particularly the case within changing technological environments, and within industries, such as electronic commerce, that captivate actors with the great potential and excitement. The decision of who intervenes may shift, the process of policy development is thus affected and affects the selection of the mode of intervention, and the predominance and conflicts of interests arise and await settlement. This all occurs within an industry that can shift to other jurisdictions, and with technology that can, and often does, alter the policy environment and transforms traditional powers and institutions (Hosein 2001). In the next section, the broader context of policies on cryptography are introduced. The section reviews the ways in which policy discussion on cryptography was undertaken, a discussion that resulted in the RIP Bill. From the beginning: Policies on cryptography Electronic commerce policy and cryptography policy within the United Kingdom have been almost inseparable, even though they have ended up being officially addressed in distinct pieces of legislation. The regulation of modern cryptography dates back to the Cold War, and multilateral agreements to restrict the export and use of cryptography due to national security concerns (Wallace and Mangan 1997 p. 42) (Heinz 1991). These concerns of national security transformed into law enforcement concerns as communications technologies became more widespread and advanced: individuals, and not just foreign governments, could use cryptography to encrypt files and communications, which could only be decrypted using keys in the possession of the individual, and this would interfere with traditional powers of the state, and existing statute. While open discussion of cryptography policy in the United States began in the late 1980s and early 1990s before the promise of electronic commerce, the United Kingdom began its debate about its regulatory intents much later. This timing has interesting discourse implications. The United States, for many years framed cryptography regulation with respect to national security concerns and was forced eventually to consider it under law enforcement concerns, and in the mid–1990s the concerns of electronic commerce joined the fray. On the other hand, because the United Kingdom addressed the issue after the advent of electronic commerce, the British governments were forced to address cryptography and its various implications in tandem with electronic commerce. That is, cryptography, as is articulated below, is considered essential to secure electronic commerce, so any policies on electronic commerce necessarily affect existing cryptography policies, as the United States realised over time; while the United Kingdom (and other contemporary national policies) noticed that discussion of cryptography policy could not occur without discussion of electronic commerce and conducted the discourse accordingly. In 1996, the Department of Trade and Industry (DTI) announced its Regulatory Intent Concerning Use Of Encryption On Public Networks (DTI 1996). Although there had been previous speeches and limited discussion on the topic, this was the first active statement of intent from the government. The regulatory intent was “to facilitate the development of electronic commerce by the introduction of measures which recognise the growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks”. The government proposed the creation of Trusted Third Parties as key elements in the electronic commerce infrastructure. These third parties had a secondary rôle, however: they were required to retain copies of decryption keys to “preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act” (DTI 1997). This intention was developed into a consultation paper from the DTI in 1997 (DTI 1997) which outlined the implementation and licensing of these trusted third parties. These parties, deemed by government to be required by electronic commerce, were to fall under a mandatory licensing regime, where the license would only be granted if these third parties stored a copy of all decryption keys of their clients. This depository of keys held by trusted third parties could then be accessed by government law enforcement and national security agencies. During the resulting debate about the proposals, many organisations pointed out that decryption keys must be kept secure, and having government access to keys through trusted third parties was introducing risks to the security of the system (Abelson, et al. 1998), thus conflicting with the government’s goal of supporting and developing electronic commerce (Hosein 1998). The policy was placed on hold after the consultation process as an election occurred. Even during this election campaign, which resulted in a change of government from Conservative to Labour, cryptography and electronic commerce policy was an issue. In its 1997 election manifesto, the Labour Party had stated: The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti–criminal purpose, would be to enable decryption to be demanded under judicial warrant (in the same way that a warrant is required in order to search someone’s home). Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long–term economic value of the information networks. Adequate controls can be put in place based around current laws covering search and seizure and the disclosure of information. It is not necessary to criminalise a large section of the network–using public to control the activities of a very small minority of law–breakers. (Labour Party 1997). Perhaps unsurprisingly despite the ‘New’ Labour label, many of the new government’s policies were in fact continuations of policy processes initiated by the previous Conservative government. Over the next two years the government responded to business concerns and criticisms of the previous mandatory approach to licensing trusted third parties (DTI 1998 sec 14). It proposed instead a voluntary licensing scheme, where licensing was contingent on the third party storing a copy of the decryption key of an individual, thus upholding the principle of government access to keys and through statute provides for lawful access to keys: (In response to these concerns) the Government intends to introduce legislation to enable law enforcement agencies to obtain a warrant for lawful access to information necessary to decrypt the content of communications or stored data (in effect, the encryption key). (DTI 1998 sec 14) This policy was further developed in another consultation process from the DTI (1999a). This report also included a technical differentiation, which was an attempt to differentiate between the interests of secure electronic commerce and government access to keys for maintaining a safe society. This technical differentiation involved the acknowledgement that digital signature keys with integrity/authentication properties (assumed to be under licensed Certification Authorities) were separate from decryption keys with associated confidentiality properties (assumed to be under a trusted third party regime). These Certification Authorities would be used to provide confirmation of the identity / authenticity of individuals and transactions and verify non–repudiation; essentially electronic commerce concerns. The provision of these authentication services was separated from the ability to decrypt encoded messages, which would be handled by the trusted third parties and their key–depositories: The Government is committed to a clear policy differentiation between electronic signatures and encryption. This reflects the valid concerns expressed by industry during the consultation process launched by the previous administration, and recognises the different commercial applications of these services and the different challenges they pose to Government policy (sec 35) The response to this second consultation document was still one of general concern, as the DTI (1999b) reported: Many people repeated the view that the whole issue of lawful access should be decoupled from the measures to build confidence in electronic commerce, and would be better dealt with in a separate Bill, possibly after the forthcoming Home Office review of the Interception of Communications Act 1985. Confidence–building measures were thought to be more urgent, whilst lawful access measures were seen as: (a) likely to cause delay, and (b) having the potential to reduce confidence in the UK as a good place to base an electronic commerce service or business (sec 5). During this period, the Prime Minister, through the Cabinet Office, commissioned a report from the Performance and Innovation Unit (PIU), entitled Encryption and Law Enforcement (PIU 1999). In a foreword written by Prime Minister Tony Blair, he outlined clearly the dual–interests of government: I am determined to ensure that the UK provides the best environment in the world for electronic business. ... But I am equally determined to ensure that the UK remains a safe and free country in which to live and work. The rise of encryption technologies threatens to bring the achievement of these two objectives into conflict. (PIU 1999 foreword). Continuing this strain of objectives and interests, the PIU report outlines the importance of encryption technologies to electronic commerce (chapter 3), but also the importance of access to law enforcement (chapter 4). The report acknowledges that the past measures of government were unlikely to allow access to the communications and stored data of criminals who would operate outside of the voluntary regimes (p.12), and doubts the commercial success of the trusted–third party key depository service (p.13). As a new approach, the report advocated working with industry to find a solution, and to support the idea of legislation on lawful access to individuals’ decryption keys rather than the key depositories (p.15): (t)he task force welcomes the intention to include in the Electronic Commerce Bill provisions to allow lawful access to decryption keys and/or plain text under proper authority. The task force also recommended that further attention should be given in the Bill to placing the onus on the recipient of a disclosure notice to prove to the authorities that the requested keys or plain text are not in his possession, and to state to the best of his knowledge and belief where they are. (p. 15) What followed from the PIU report and the consultation paper was a phase of flux. During this period, the Home Office began consultation on alterations to the 1985 Interception and Communications Act (Home Office 1999) dealing with lawful access to communications and traffic data. Additionally, as mentioned in the PIU report, a draft Electronic Commerce Bill was released by the Department of Trade and Industry, as presented to Parliament by the Secretary of State for Trade and Industry in July 1999. The most notable part of the bill was the granting of government powers to gain access to keys under a notice (ECB 1999 Part III). The remainder of the Bill dealt with the legal recognition of digital signatures, and the operation of Certification Authorities. Again this gave rise to controversy and threatened the introduction of the Bill due to problems surrounding a legal audit (Beatson and Eicke 1999) commissioned by a think–tank, the Foundation for Information Policy Research, and a civil liberties organisation, Justice, stating that the Bill may be in contravention to the European Convention on Human Rights. The variety of arising issues (as in FIPR (1999)) included self–incrimination; the process of handing over keys and uncertainty as to which key was required to be given to law enforcement: would session keys suffice, or would private keys be required? The draft Bill did not recognise any differences amongst keys beyond the granularity level of signature keys and decryption keys, as realised in 1999 despite the issue having been raised during the consultation process (Hosein 1998). The most contentious section surrounded the failure to disclose a requested key. If the individual receiving a disclosure order does not disclose the key, a prison sentence may be imposed. If the key is lost, forgotten, or deleted, the draft Bill requires that proof of this loss is provided by the individual. The result, which the Home Office refuted for most of the length of this process (Home Office 2000), is that there is a reverse burden of proof: failing to make such a proof, the March 1996 Regulatory intents on encryption: Creation of Trusted Third Parties involving key escrow