The Electronic Communications Bill is finally with us

The Queen's speech this week presented long-awaited ecommerce legislation to Parliament, the culmination of two-and-a-half years of wrangling which has seen the government switch from draconian regulator to laissez-faire liberal.

With the government's majority of 176 MPs, the Bill's parliamentary success seems guaranteed. But its suitability and the level of industry backing for it is questionable.

The aim is to establish the legal basis of ecommerce in the UK, by according electronic signatures legal status. The government will also create a licensing scheme for so-called trusted service providers of cryptography products.

Providers are expected to offer encryption keys, used for encrypting email traffic, and recovery services for lost keys. Fledgling examples are already operated by the Post Office, ViaCode and BT.

Self-regulation scheme

Labour does not, however, propose to enforce its own licensing scheme, and wants the IT industry to come up with a voluntary self-regulatory scheme. The industry, which was represented by the Alliance for Electronic Business, drafted proposals for the scheme with the Department of Trade and Industry (DTI) on 5 November.

Trusted service providers will adhere to standards, such as security standard BS7799, and produce certificates against an expected model format.

No date has been given for the scheme's inception, although this is expected within weeks, possibly around the time the Bill is introduced into Parliament. Neither is it clear how the scheme will be enforced, although presumably members could be prosecuted under civil law.

The delivery of the plans on schedule disproves earlier suggestions that the scheme was in trouble. Problems were thought to have centred on the complexity of the regulation, disputes between the trade bodies involved, and questions over how to charge.

For and against

Some in the industry have welcomed the proposals. BT's certification authority, Trustwise, is expected to seek accreditation. "Anything that helps build commerce in ecommerce has to be good," said Michele Mooney, head of trust services at Trustwise.

But critics say the UK's economy could be saddled with an unworkable framework of regulation. "There's been no consultation with industry," said one ecommerce lobbyist, who wished to remain anonymous.

Nicholas Bohm, ex-City lawyer and legal officer for thinktank, The Foundation for Information Policy Research, calls the DTI's model "wishful thinking."

"Vendors may talk it up, but how many people are using it?" he asks. "There's no scheme for ordinary signatures. Why should there be any for digital ones?"

Concern for human rights

One controversial element of the Bill is, at the time Computing went to press, expected to be dropped. Police are expected to be granted powers to decode encrypted data held on servers or captured in transit. It is thought that users of encryption will either have to give up their encryption key, decode the data, or prove they do not have the key or cannot decode the data.

Critics say this reverses the normal burden of proof, because the alleged data holder - likely to be in the first instance a network manager - has to prove that they do not hold data, rather than the police being forced to find it. Specialist legal opinion suggests this could be a breach of human rights.

This is expected to be part of a separate bill revising the Interception of Communications Act, which allows phone tapping powers to be extended to the Net and corporate networks. This takes the most controversial measure out of the Bill, and is likely to smooth its progress through Parliament.

It does not, however, alter concerns over the law enforcement requirements to demand encryption keys. Internet service provider Demon Internet estimates that measure will add between 10 and 15 per cent to its operating costs.

The next parliamentary session promises the UK an ecommerce framework. But will the proposals be a triumph of enthusiasm over common sense? That remains to be seen.