THREATS AND OPPORTUNITIES POST 114
s Background to DTI's latest proposals on security TECHNICAL April
s Electronic business and erosion of the tax base REPORT 1998
s Content regulation
POSTreports are intended to give Members an overview of
Although slow to start, electronic commerce over the issues arising from science and technology. Members can
Internet is growing fast and making it necessary to obtain further details from the PARLIAMENTARY
OFFICE OF SCIENCE AND TECHNOLOGY (extension 2840).
address key issues which will determine the way in
which this truly global marketplace develops.
BOX 1 COMMERCIAL USE OF THE INTERNET
This note explains some of the arcane and complex
related issues (e.g. encryption). Electronic commerce has been growing for many years, and links
companies to suppliers, financial institutions together, and business
E- COMMERCE AND THE INTERNET to Government. While business over the Internet is small in
comparison, it will become increasingly important because of:
The Internet has long been in the news as a means of q Mass access - there are already approaching 100M people
spreading information, as a way of communicating and connected via their computers to the Internet, and new interac-
increasingly as a means of advertising. Many compa- tive digital TV is likely to offer much easier access to the World
nies have also turned to the Internet to add an extra Wide Web (WWW).
dimension to their existing business, and there are also q There is a general trend toward harmonising current standards
(such as CALS, EDI, etc) with Internet standards for all data
companies which have set up from scratch and operate
networks, which will make it easier for business to use the
exclusively in an Internet environment. This is push-
Internet for business to business contact.
ing to the forefront technical issues such as encryption,
how Internet business should (or could) be regulated The number of commercial web sites passed 250,000 in 1996 and
and managed, and also how such ‘e-business’ ties in is still rising fast. The ‘old’ e-commerce required specific relation-
ships between organisations and individuals. The wide-open mar-
with the tax system. These issues are not trivial - the UK
ket via the Internet, however, means that anyone with a computer
is the fourth largest IT, electronics and communications
and Internet access can become a merchant and reach customers
(ITEC) consumer worldwide and has the fifth largest all over the world; the consumer equally can find out about and buy
ITEC industry (£43B or 6.7% of GDP). This is a strong products offered anywhere. This throws up very different chal-
base from which to develop e-commerce which is ex- lenges, opportunities and risks. It can offer companies:-
pected to become a significant fraction of global GDP q a new advertising channel;
(see Box 1), making ‘globalisation’ and ‘virtualisation’ q a new means of reaching customers and receiving orders;
significant terms for the UK and other nations. q cutting out the middle-man by direct sale - airline tickets, books,
wine, etc. (called 'disintermediation');
ENCRYPTION q establishing new ‘virtual’ enterprises, or ‘virtualising’ existing
Electronic commerce has always used encryption. Thus q developing and selling new digital products (e.g. software,
when banks or financial service companies transfer WWW support services);
electronic funds, or an ATM communicates to validate q replacing physical goods (e.g. games, books, music) with their
a customer’s PIN number, messages are encrypted to digital equivalent.
guard against interception and fraud. These proce-
Estimates of the growth of e-commerce as a whole are rather
dures are not, however, suitable for providing security speculative still and often fail to differentiate between business over
over open networks such as the Internet since: secure intranets and over the public internet. Nevertheless, the
l Traditional models of e-commerce involve only a business conducted over the Internet is expected to rise dramati-
few participants, and those sending and receiving cally - to equal that from mail order sales by year 2000. For example,
messages can use the same encryption software direct airline ticket sales may reach $5B per year by 2000; one on-
and secret key. In contrast, the Internet allows line bookshop sold 6.5 million books in 1997 alone (although this
business with new customers from anywhere in the and other operations have yet to be profitable). Some industry
world, and it is impossible for everyone to have a estimates are however much higher - e.g. IBM anticipate Internet
commerce reaching $200 billion by 2000.
'secret key'. A very different approach is required.
l Because customers and vendors may have no prior As described in Box 2, one solution to these challenges
knowledge of each other in Internet commerce, is public (or dual) key encryption, which works as
electronic means are needed to verify identities - so follows. The company that wishes to do business over
that a customer sending money to a company’s web the ‘net’ obtains a set of public and private keys and
page knows it is not fraudulent; so that one party sets up the appropriate software on its computer sys-
cannot deny or renege on a commitment, and so a tems. It then makes its public key available to anyone
third party cannot easily interfere and change a who wishes to communicate with it. When a customer
message (e.g. the terms of contract). sends a message, he/she uses the computer to encrypt
P. O. S. T. Technical Report 11 4 April 1998
FIGURE 1 PUBLIC KEY ENCRYTPION FIGURE 2 SECURE INTERNET TRANSACTIONS
(a) CONFIDENTIALITY (b) VERIFICATION Customer browses and receives informa-
Ms tion from company web page - no security ABC plc
Ms A Hello Mr B Signature Smith needed.
and sends and sends
to PUBLIC(B) to PRIVATE(B)
&!=4gH 5&@"LP}<< Ms Smith: "I'd like to order something".
Mr B who ABC plc: "OK, here's my public key".
Ms A who Ms Ms Smith: "You're genuine, so here's my ABC plc
decrypts Smith credit card details or E-credit authorisation"
Hello Signature (encrypted).
ABC plc "OK, Order confirmed". a
with the public key, after which it can only be de- ve g?
crypted by the company’s private key. The ‘magical’ ith it ra
CA or Credit Sm red
feature of the mathematics involved is that even the es y c
Do ctor S
sender cannot de-crypt the message once it has been
encrypted using the public key (Figure 1). sa
Another property of the mathematics involved is that if
the reverse takes place - i.e. a message is sent by the could be used by organised crime to make its commu-
company with its private key, this can be de-crypted by nications and money transfers essentially uncrackable
any holder of the public key. If, however, it has been by law enforcement agencies; equally, national intelli-
tampered with in any way, this will no longer work, gence agencies’ ability to intercept and decode foreign
and thus the ability to de-crypt is proof that the mes- intelligence material could be compromised. It is how
sage is genuine and has not been tampered with. The to strike a balance between these ‘costs and benefits’
same techniques thus allow either party to electroni- of strong encryption that gives rise to the current
cally sign the document. policy debate.
To allow companies to do business with any potential The more powerful encryption techniques have been
customer, the public keys have to be available - just as subject to export controls for some time on the grounds
the telephone and fax numbers are in business directo- of national security. As described in Box 2, there have
ries. Making the public keys available in this way has been several attempts in the USA at striking a 'deal'
several implications. Such information needs to be which maintains preferential access by intelligence and
relatively centralised, so people know where to go for law enforcement interests to encrypted messages, as
it; there needs to be some method of ensuring that the the ‘price’ for allowing export of the technology. The
keys published do actually belong to the company or current policy debate centres on what methods should
individual concerned, and that the transaction is reli- be used to recover keys in order to decrypt messages.
able. A number of bodies offering such services (Cer- One route is to require users of strong encryption to
tification Authorities -CA) have already been set up. deposit a copy of their private key with an independent
For instance, US companies such as ‘Verisign’ and ‘Trusted Third Party’ who would be required to give it
‘Cyberscript’ allow a customer’s computer to check the up to appropriate judicial or ministerial authority (key
identity of the company and the validity of its public escrow). Another is where the encryption software
key (see Figure 2). Other organisations are developing involves registration with a key recovery agent.
similar services - e.g. Natwest and Barclays Bank have The last Government’s proposals in this field were set
agreed a legally-binding system for ‘digitally signing’ out in a consultation paper released in March 1997 - this
on-line forms submitted to the UK government. The proposed a licensing system for “Trusted Third Parties
market is thus responding to the need for security and for the Provision of Encryption Services”. Under these
authentication without government intervention. proposals, there would be no interference per se in the
The strength of public key encryption described in Box private use of encryption, but anyone offering encryption
2 is related to the length of each key and beyond a services to the public would have to be licensed by the
certain limit (perhaps 56-bits or longer), the encrypted DTI, and a condition of licensing should be that private
message becomes 'uncrackable' even with the most encryption keys should be deposited at the TTP, and
powerful computers. Advances in encryption tech- should be provided within one hour of receipt of an
niques are thus a two-edged sword - strong encryption executive or court order. Since the market for unli-
makes legitimate commerce very secure; it can also censed TTPs could be limited, these proposals were
help human rights groups investigate without their seen by many as equivalent to mandatory key escrow,
reports being decoded by those whose record is being and raised objections.
investigated. But at the same time, strong encryption
P. O. S. T. Technical Report 11 4 April 1998
BOX 2 DUAL-KEY ENCRYPTION AND KEY ESCROW
Before 1976, both ends of an encoded cur between two parties without prior nego- key) to use as they wished, but a copy of the
message needed the decryption key which tiation of a shared secret key. private key would be lodged with a US Gov-
had to be sent separately, effectively re- ernment ‘escrow’ agency, which would re-
This breakthrough (RSA, asymmetric or
stricting cryptography to parties who al- lease it under specified conditions (e.g. in
public key encryption) remained largely
ready had a trustful relationship. Breaking response to a court order). Anything gener-
unused commercially because it was pro-
out of this ‘strait-jacket’ completely revolu- ated by that chip could then be deciphered.
tected by patent, and its use outside the
tionised cryptography and followed from
USA restricted by US export controls (for This proposal was opposed widely by US civil
some rather counter-intuitive properties of
security reasons). However, in 1992, RSA liberties groups and seen by interests outside
large prime numbers.
was adapted for PC-users by a US compu- the USA as offering a ‘trapdoor’ for US au-
Basically, if one takes 2 large prime num- ter security consultant who made this public thorities to commercial traffic. Serious tech-
bers, one can work out 2 other numbers as PGP (‘Pretty Good Privacy'). Despite nical shortcomings led to new policies where
which can serve as a set of private and official USA efforts to suppress PGP, it is private keys would be held by ‘Trusted Third
public encryption keys. With the Mr B’s now widely available via the Internet. Parties’ who, would have the responsibility of
public key, Ms A can send a confidential responding to court warrants, etc. US compa-
Official US bodies were concerned at the
message to him which he can decode with nies could also export encryption of key lengths
possible spread of such ‘strong’ encryption
his private key. However, the mathematics of 56 bits or less (a length which may be
technology because it could make it impos-
involved is ‘one-way’, and the public key ‘crackable’ anyway), providing the industry
sible to intercept and decode communica-
cannot decrypt the message it has encrypted worked to develop 'key recovery products'.
tions in criminal and national security situa-
- thus the message to B is secure. There is, These now exist and mean that when a
tions. It proposed in 1993 to keep control
of course, a mathematical relationship be- company uses one these products, it has to
through a device known as the ‘Clipper’ chip
tween the public and private keys, but it is register with a key recovery agency. This is
- a tamper-proof chip manufactured under
complex and provided the numbers are big not the same as depositing the private key,
Government licence which would contain
enough, can exceed the ability of even the but still allows targeted traffic to be deci-
the encryption program itself. Individuals
most powerful computers to ‘crack’. Thus a phered via a knowledge of the key recovery
would have the chip (and associated cipher
completely secure communication can oc- agency and the customer's public keys.
CURRENT ISSUES ON TTPS potential risk to the customer’s security, as well as
an organisational burden which could limit the
The basic market needs for a CA/TTP include: number of bodies able to offer such services and add
l maintaining unique identifiers for individuals and to costs;
organisations, and generating key pairs; l ways of evading ‘legitimate’ encryption exist - keys
l certification (validation of each names’ public key); need not be escrowed or other encryption tech-
l key management -for keys used for validation and niques used (e.g. steganography 'hides' messages
signature; and for maintaining confidentiality; in digital data of a picture or music score). The
l storage of encrypted data, key recovery services; proposals could thus have brought cost and com-
l security services for validation, time-stamping, non- plexity to law-abiding users while not achieving the
repudiation, etc. results desired by law enforcement agencies;
l agreement and enforcement of contracts between l the global nature of such schemes introduce juris-
parties who only meet in 'cyberspace'. dictional issues of extra-territoriality1;
l depositories of many secret keys could be an irre-
At present, such services are provided by the market at
sistible target for hackers or criminal/terrorist in-
low cost and are integrated 'unseen' into browser and
other software (Figure 2); meanwhile new CAs/TTPs
can be set up to serve particular markets - for example Such questions are not unique to the UK and encryption
the banking sector might wish to establish its own has to be recognised as an international issue in which
'internal' TTP system, while other bodies such as the many players are currently operating. In the USA,
Post Office, solicitors, or quality control bodies could current legislative proposals link licensing of TTPs to
offer more widely available services. Development of key escrow, but licensing would remain voluntary.
such services is however seen as needing regulatory The OECD agreed a number of principles in March 1997
certainty over what conditions of licensing will be which, while recognising that key escrow could be
applied. The 1997 proposals received much support on required in certain circumstances, also warned against
the principle of establishing a licensing scheme, and "unjustified obstacles to international trade and the develop-
also because they sought to encourage alternatives to ment of information and communications networks (8th
the current situation where advanced encryption soft- 1. One single TTP world-wide is clearly impractical, so there would have
ware often involves relying on US key recovery agents to be one or more networks of TTPs to bridge national and international
which are responsive first to US law enforcement agen- legal frameworks. Thus a British TTP would have to comply with UK law,
but would have to be trusted internationally in order to fulfil its role;
cies. They were however criticised on the grounds that: equally, there would have to be restrictions on bodies offering services
l adding key escrow to the role of the CA created a outside the UK to evade UK licensing conditions.
P. O. S. T. Technical Report 11 4 April 1998
principle)" and "legislation which limits user choice (2nd legitimate needs of interception, surveillance and
principle)." The 5th principle states that: "The fundamen- decryption take full account of these realities and en-
tal rights of individuals to privacy, including secrecy of sure that the necessary measures are both technology-
communications and protection of personal data, should be independent and avoid stifling legitimate commerce or
respected in national cryptography policies and in the imple- rendering it vulnerable to industrial espionage. One
mentation and use of cryptographic methods". option cited by some would be to strengthen the law to
make it an offence to refuse to decrypt specific trans-
Independent experts saw the former Government's
missions or data targeted by a judicial warrant (or to
proposals as going beyond the OECD position and
require them to provide hard copy of the original
essentially leading to mandatory key escrow and an
transmission). A parallel approach may need to recog-
expansion in the capabilities of surveillance authorities
nise that the volume of e-traffic is now so large and
to access and decode routine traffic. As such they
growing so fast2 that much greater selectivity is needed
attracted opposition from industry which saw them
to identify those transmissions of interest, and to recog-
threatening vulnerability to fraud and industrial espio-
nise a greater role for sectors of business to regulate
nage, while also being linked to one technical approach
themselves - perhaps under more official guidance (e.g.
to encryption at a time when technology was bringing
via codes of practice) on security, access control, and
in a range of alternative encryption systems to main-
how to identify and respond to suspicious traffic.
tain confidentiality. The value of private key encryption
is now increasingly for verification - exactly the area
INTERNET COMMERCE AND TAX
where key escrow is undesirable.
Governments are clearly interested in the potential
Many anticipate that the DTI's revised proposals (ex-
macroeconomic effects of Internet commerce. Some of
pected imminently) will reflect these concerns and
these will benefit consumers who will be able to shop
provide for a more voluntary regime with less demand-
globally for the best prices on goods and services,
ing conditions for private key escrow. It will also
potentially levelling heretofore distorted markets (with-
recognise the importance of attaching conditions only
out the need for complex intergovernmental trade
to confidentiality keys (and not those for authenticity,
negotiations). On the deficit side, Internet commerce
where national policy will need to mesh with a pro-
may diminish the ability of government to raise taxes
posed EU draft directive on digital signatures). Inde-
on goods, services or income.
pendently of any regulations, the UK industry (via the
Alliance for Electronic Business) proposes a voluntary The current complex web of national and international
'Trust Services Infrastructure' whereby CA/TTPs would tax legislation has evolved around conventional mod-
be able to join a UK Trust Services Association acting as els of business - where physical goods are bought and
a 'voluntary' regulator to ensure appropriate standards sold, and where customers and suppliers have a place
of competence and trustworthiness of member bodies. of residence. As increasing amounts of trade have
It would also work to develop a 'Global Trust Infra- involved less tangible items such as financial and tel-
structure' through coordination and mutual recogni- ecommunications services, tax agreements have
tion of equivalent bodies overseas. adapted accordingly, but the potential growth in
Internet-mediated business could pose real challenges
Even with DTI's new proposals, tensions will still
to the ability of Government to maintain revenues.
remain between the interests of efficient e-business
These issues are being addressed in a number of fora,
(flexible strong and cost-effective encryption services)
for example by the OECD’s Committee on Fiscal Af-
and those of law enforcement and intelligence agencies
fairs, and also within the EU. This subject is complex
which still need access to suspicious communications.
and still very fluid, and thus only key questions are
Those in the industry see the primary goal as an
outlined in Box 3, relating to the twin problems of how
unrestricted market for strong encryption products
best to avoid tax evasion or double taxation.
which is globally interoperable, but wish to work with
Governments (US and EU) to define conditions of Overall, internet commerce impacts most severely on
access for law enforcement purposes etc. without man- the two key concepts of residence and source. For
datory key escrow. instance, is a computer server connected to the Internet
The ultimate solution to this quandary is not yet de- in a country in which the enterprise has no other
fined, but many point out that the 'genie' is already out presence, a 'permanent business establishment'? Or
of the 'bottle' and strong encryption which does not should tax status be related more to the support, stor-
depend on public key encryption is in use making age and distribution centres? Even where it is possible
reliance on key escrow too technology-dependent. At to establish where the enterprise is located for tax
the same time, those concerned to thwart interception purposes, the ability of residents to establish off-shore
can use their own keys or other techniques to evade 2. In 1997, the number of e-mails (2.7 trillion) was five times the number
controls. Many thus argue that it is important that the of paper mail delivered worldwide.
P. O. S. T. Technical Report 11 4 April 1998
BOX 3 INTERNET COMMERCE AND TAX SYSTEMS
Internet commerce brings in several areas q E-commerce may increasingly involve A parallel set of issues affects the collection
of complexity with which existing systems new forms of electronic money not read- of consumption taxes, such as VAT.
have never had to deal. Some of these are:- ily recognised by the tax system. q Place of supply is a critical concept in
q The ‘entry costs’ to global markets have q E-commerce may replace physical VAT which presumes a fixed establish-
been reduced and made it accessible to goods (e.g. CDs) which can be taxed ment. Internet transactions could need
many small companies, leading to rapid crossing borders. The digital equivalent to be treated in the same way as tel-
expansions in cross-border activities. flows unnoticed across communications ecommunications services, and taxed
q Many constraints on physical location links. at the customers’ end.
are removed. The ‘front office’ may be q Tax havens and off-shore banking facili- q The difference between goods and serv-
‘virtual’ and no more than a computer ties become more accessible, allowing ices is blurred by Internet commerce.
system with communication links, and more people to use these to reduce or This is particularly important where it
infinitely mobile. Internet business can avoid taxation. Internet banking offers relates to goods imported from outside
involve many countries (one for the ‘web’ high degrees of anonymity and imme- the EU, where currently they are liable
site, another for product storage and diacy of funds transfer. to VAT at importation. Downloading the
distribution; other national networks carry q With detection and enforcement, E-com- physical good as data may allow VAT to
messages). It is thus difficult to define merce provides far less evidence of be avoided altogether.
where an activity is carried out. transactions than traditional commerce. q VAT rules distinguish between different
q It can be difficult to identify participants in Disintermediation may also mean that services, which become difficult to dif-
Internet commerce - for instance the the contracting parties are unaware of ferentiate when all data are digitised.
web page address provides no informa- withholding obligations. Encryption will q Even with off-line services involving the
tion on where the machine is located. also contribute to the near impossibility transfer of goods across borders, the
q The removal of intermediate institutions of tracking all movements and conduct- increased volume of international traffic
removes the main tool for revenue col- ing audit trails. may well swamp the ability of customs
lection - intermediate taxing points. authorities to collect tax.
companies could lead to a tax-driven migration of indeed it would go against one of the areas of agree-
businesses to the Internet and Internet businesses to ment between the EU and USA on Internet Commerce
low tax jurisdictions. Combined with the anonymity - that taxes should not be heavier on the Internet than
and potential for evasion, this could have major impli- on traditional commerce (see later). Moreover, the USA
cations for tax recovery. By making source income has proposed that, at least in the initial stages, the
increasingly difficult to track, the growth of new elec- Internet should be declared a tariff-free environment,
tronic commerce may lead to the criterion of residence- whenever it is used to deliver products or services (this
based taxation assuming greater importance. The in- does not exclude it from tax liabilities when it is used in
creasing globalisation of companies may also increase the same way as a mail order service).
their flexibility to set transfer prices between different
Such considerations have led to extensive debate and
parts of the business to minimise overall tax liability.
consultations. For instance, the US Department of the
Such issues can be slow and difficult to resolve - as Treasury has put out a very detailed analysis of the
illustrated by the persistence of the Service Provider
implications above, as part of an overall consultation;
anomaly where EU-based SPs charge VAT but those the OECD Committee on Fiscal Affairs has organised
based outside the EU do not.
various discussion documents and meetings to try and
The difficulties foreseen in maintaining tax revenues identify consensus on the way forward. The UK Treas-
have led some to call for alternative, more direct taxes ury, Inland Revenue and Customs and Excise are
on Internet activity - for instance a 'bit tax', which engaged in these international activities.
would apply to the volume of data, irrespective of its
underlying value. Many UK Internet users already ay OTHER REGULATORY ISSUES
the equivalent of such a tax, in that they pay VAT on The USA sees the Internet as having a potentially
their telephone call to connect to a service provider, but profound effect on the global trade in services, whether
the bit tax would be specifically linked to the amount of these involve computer software, entertainment prod-
data traffic. Such a tax could, however, present many ucts, information services, product licences, financial
problems -for instance, it could not discriminate be- and professional services, or in terms of direct retail
tween high volume/low value uses (e.g. telemedicine) sales and marketing where customers are able to shop
and low volume/high value transactions (e.g. selling in their homes for products from all over the world.
shares). It could also be an unstable arrangement - as
the volume of data on the Internet increases, presum- The above applications potentially raise problems
ably the tax rate would have to be constantly adjusted. which could lead to governments attempting to regu-
The question of bit taxes is thus not being seriously late. For instance, different national regulations for
examined in the various international groups involved, professional qualifications make trans-border profes-
P. O. S. T. Technical Report 11 4 April 1998
sional services potentially problematic. The laws a BOX 4 US AND EU POLICIES ON INTERNET COMMERCE
consumer relies on for protection at home might not The US "Framework for Global Electronic Commerce" (The White
apply in the country selling the service, and thus House, July 1997) set out 5 principles for policy on e-commerce:
redress (e.g. refunds) might be difficult to obtain. 'Con- 1. The private sector should lead, with governments encouraging
tracts' agreed in Cyberspace might not fulfil national industry self-regulation.
legal requirements. Supporters of Internet commerce 2. Governments should refrain from imposing new and unneces-
see considerable dangers if national governments (or sary regulations, bureaucratic procedures or taxes and tariffs
the EU) react by imposing extensive regulations on the on commercial activities over the Internet.
Internet and electronic commerce, arguing that this 3. Where government intervention is necessary, its goal should be
"minimalist" - to ensure competition, protect intellectual prop-
would stifle it before it has attained economic viability.
erty and privacy, prevent fraud, foster transparency, support
Potential areas of regulation foreseen included taxes commercial transactions and facilitate dispute resolution.
and duties, restrictions on the type of information 4. Existing laws that may hinder electronic commerce should be
transmitted, control over standards development, li- reviewed or eliminated.
censing requirements and rate regulation of service 5. The legal framework supporting commercial transactions on the
providers, measures to 'protect' the consumer, and Internet should be governed by consistent principles across
other potential regulations (e.g. on digital signatures). state, national and international borders.
The EU/US Summit in Geneva (5 December 1997) reiterated the
In an attempt to avoid such a scenario, the USA pro-
principle of market forces, but also committed (inter alia) both sides
posed a "Framework for Global Electronic Commerce",
to work towards:
which should follow the primary principles espoused q A global understanding that when goods are ordered electroni-
in Box 4. These are essentially the same as the UK cally and delivered physically, there will be no additional import
Government's own four principles: duties applied in relation to the use of electronic means. In all
l The law should apply on-line as it does off-line, other cases of electronic commerce, the absence of duties on
with the result that each person is responsible for imports should remain.
their own conscious acts and omissions. q Ensuring the effective protection of privacy with regard to the
l Need international co-operation between enforce- processing of personal data on global information networks.
ment authorities in different jurisdictions, and be- q The creation of a global market-based system of allocation and
governance of Internet domain names which fully reflects the
tween legislatures where harmonization of existing
geographically and functionally diverse nature of the Internet.
laws is possible (e.g. a Uniform Commercial Code).
q Active support for the development of self-regulatory codes of
l Businesses and consumers should have access to conduct and technologies to gain consumer confidence in
tools enabling them to protect themselves (e.g. electronic commerce (including involving all market players and
rating/filtering for harmful content; digital signa- consumer interests).
tures for verification etc.). q Close co-operation and mutual assistance to ensure effective
l Service providers should take voluntary action to tax administration and to combat and prevent illegal activities on
uphold the law on-line, while government keeps an the Internet.
open mind on possible needs for future regulation. Some specific EU Measures are starting to emerge. For instance,
a draft directive has just been released on Digital Signatures, the
The EU has also accepted the need to avoid 'regulation Regulatory Transparency Directive may affect e-commerce in its
for regulation's sake', but has identified a number of extension to services. The EC is also establishing principles for
areas where electronic commerce poses challenges, content regulation by service providers.
which, in the Commission's view, require action under
products can attract a refund from credit card operators
the Single Market framework (see also Box 4). Some of
and offending merchants could be taken off card com-
the early proposals under these headings are already
panies' lists of approved vendors.
raising concerns in industry about their potentially
inhibitory effect on the growth of e-commerce within Some need for regulations is foreseen however -e.g. to
the Community. For instance, Commission proposals define the requirements for electronic contracts to be as
on digital signatures need to avoid being technology- valid as paper ones. But when needed, there is a wide
dependent (e.g. recognising only the use of public key consensus that they need to be international or interna-
encryption), thereby excluding other approaches which tionally coordinated, and technology-neutral, in view
might be acceptable to the market. Some ideas on of the rapid changes involved. An example of such a
'consumer protection' have also suggested introducing light regulatory touch might be to establish the frame-
a requirement that terms and conditions be provided in work for legal recognition of digital signatures, but
hard copy, before an electronic transaction can be con- enabling any technology to be accepted as producing a
firmed, which would rather go against the purpose of digital signature providing it meets general require-
e-commerce to eliminate such steps! Supporters of e- ments of reliability, unambiguity, etc.
commerce point out that there is much potential for With the dominance of the USA in the Internet's history
self-regulation which has already evolved without the and current usage (80% of Internet traffic is in the USA),
intervention of regulators. For example, unsatisfactory
P. O. S. T. Technical Report 11 4 April 1998
BOX 5 RESTRICTING UNSUITABLE CONTENT
Censoring or jamming undesirable or illegal Where materials are held to be illegal, how The most promising approach is voluntary
content faces two primary challenges - first, can one go about removing them, given the content labelling, possibly backed up by
deciding on what is to be restricted, and difficulty of assigning responsibilities in the access providers making it a condition that
then actually restricting it. complex web of the net. After all, the all material posted is so labelled. Once
Most material on the Internet is generally content provided may not originate in the labelled, it is a simple job (either for the SP
available in other formats by other means. UK, or be put on the net in an area where the or user) to apply a filter and to restrict use
What the Internet does is allow individuals material is not illegal. Since UK law does not to specified ratings. Such an approval
or small groups a huge audience at little extend outside the UK, most attention has system is under development by the Plat-
cost. Some of these society may well regard focused on the Service Provider's (SP) form for Internet Content Selection
as ‘deviant’ and object to, but there are many responsibilities in controlling content since (PICS). Other methods of making it more
more groups (e.g. for disabilities) which use these companies provide the Internet con- difficult to post undesirable material include
the Internet to their benefit, and there is nection, and access in the UK itself. a requirement for subscribers posting con-
widespread resistance to interfering with Technical filtering of the broad contents of tent to explicitly identify themselves, and
the 'freedom' of the ‘Net’ among its users. all sites is theoretically feasible, but the providing SPs the ability to monitor and
computers need to be primed with key sample content to ensure the accuracy of
The Internet is not, however, a law-free
words to search for, or some other guid- conten labels.
zone - material that is illegal off-line is also
illegal on-line, and criminal liability falls on ance. Much filtering software has the prob- While such technologies would make it
those who hold and access clearly illegal lem of blocking out perfectly legitimate sites easier to filter out undesirable content, they
material, such as child pornography. The along with those dealing in, for example, still place much of the responsibility on the
global nature of the Internet may, however, sexually explicit images. Such systems individual user to ensure that their wishes
make such principles difficult to enforce. cannot, therefore, even in principle be relied are being met. Broad efforts to ‘clean-up’
Outside cases of clear illegality, defining on to make statutory judgements, although the net are almost bound to be doomed to
what is undesirable faces the same prob- they can raise alerts about material with failure, even after the adoption of a rating
lem as for material available by other means. particular characteristics - for instance, rac- system because the technical complexity
For example in the UK, defining what, under ist words, explicit sexual language, flesh of the system and the sophistication and
the terms of the Obscene Publications Act tone in a graphics file, violence, and alert motivation of many of its users will always
(1989), would ‘deprave and corrupt’. individual users to exercise their own choice. leave loopholes.
there are concerns at the potential use of the interna- viders etc., and the fact that with thousands of web sites
tional regulatory regimes to advance national eco- setting up each day, and thousands closing, compre-
nomic interests. Thus the USA already exports $40B hensive content scanning would be almost impossible.
per year of goods and services in the categories for
As described in Box 5, the main approach being pur-
which Internet commerce is seen as a medium of
sued in the UK is voluntary self-regulation - whereby as
growth, and thus maintaining the Internet as a 'free
soon as a SP is aware of illegal material it is under an
trade' zone can be seen as very much in the USA's
obligation to remove it (or face legal liability as an
economic interest. Some see the EU countries' failure so
accessory). At present, sites are identified primarily
far to develop a common position on issues such as
through a 'hot-line' run by the Internet Watch Founda-
encryption that is also acceptable to the Middle Eastern
tion (IWF) - an industry-funded group which receives,
and ASEAN nations, as assisting the USA to impose its
vets and where necessary acts on reports. Where
own trading and regulatory regimes, as well as making
content is deemed illegal, the sites are removed from
it difficult for European suppliers to develop a viable
the SP's servers and where appropriate, police advised
market for their encryption products. Notwithstand-
in the UK or other countries. Although child pornogra-
ing these concerns, progress is being made towards a
phy has been the primary focus so far as clearly illegal,
common viewpoint between the USA and the EU, and
other categories exist which may also be illegal - e.g.
a joint statement following the EU/USA summit in
disseminating bomb-making recipes, advice on how to
Geneva (December 1997) reiterates the principle of
make fraudulent bank notes. But the main volume of
market forces applying in the Internet, and commits
traffic comes in the greyer area where it may not be
both sides to working towards the objectives in Box 4.
illegal but is offensive to many, such as adult pornogra-
One area which illustrates the limited power of regula- phy, racist material or personal slander.
tory authorities when faced with the global phenom- Here the emphasis is very much on making it easier for
enon of the Internet is what to do about public concerns individuals to restrict their (or others such as children)
over illegal and harmful content. As explained in Box access according to ratings on sex, nudity, language
5, the technical challenges of an effective means of and violence. Some web sites already carry such a
filtering out undesirable content are complicated by the rating (e.g. from the Recreational Software Advisory
Internet's global reach, the variability of 'illegal or Council - RSAC), and modern Internet browsers can be
harmful' content between different countries, debate instructed to 'screen out' sites with particular ratings (or
over responsibilities of content providers, service pro- those without any rating). The IWF and analogous
P. O. S. T. Technical Report 11 4 April 1998
bodies in other countries see this as the way forward Other issues arise from the 'convergence' between
rather than national regulatory authorities attempting telecoms, broadcasting, and computing in the Internet
to control content further. Indeed, the USA explicitly and also the many different services (financial, retail,
supports the broadest possible free flow of information marketing, etc.) delivered over it, which can involve
across international borders, rejects the types of content several different regulators. The DTI will be consulting
regulation applied to radio and TV, and sees dangers later in the year on the implications for the regulatory
that attempts by nation states to regulate content could system of digital convergence, and there have also been
disguise trade barriers as attempts to maintain cultural calls (e.g. via the EC's 1997 Green Paper) to re-examine
or ethical values. The current regulatory inconsisten- the role of the many regulators involved, to eliminate
cies whereby the Internet offers access to material inappropriate cross-over in their responsibilities and
which would be banned (or subject to prosecution) if provide a simple system of protection for consumers,
delivered by conventional broadcast media will thus businesses and the public interest. In this context, the
continue and users will remain very much 'on their DG of OFTEL recently called for existing bodies to be
own' when it comes to protecting their interests. rationalised into two 'Electronic Communications' bod-
ies - one dealing with competition, economic and social
There are many other issues relating to the 'Information policy issues; the other with content regulation.
Society' which have been covered elsewhere3 - intellec-
tual property protection, data privacy etc. However, A final point on regulating the Internet comes from the
one important management issue is the apparently responsibility of Government to safeguard its people
mundane question of how people or organisations are and national assets. There is growing concern that
awarded their 'domain' names- the electronic 'ad- Governments are ill-prepared for the threats of 'infor-
dresses' of the Internet web sites. Thus the UK Parlia- mation warfare', computer crime and 'cyber-terrorism'
ment’s web address is www.parliament.uk; that of the as nations become increasingly reliant on the Internet
White House is www.whitehouse.gov; such domain and other electronic systems in every aspect of life. In
names have clear advantages over their electronic the USA, much attention is being given to these issues
equivalent (a string of eleven numbers). As the Internet (e.g. by Congress). In the UK, the debate is starting to
has expanded however, the difficulties of a company develop through professional institutions such as the
obtaining the domain name it prefers have grown, and IEE and BCS, and a Cabinet Committee is also con-
new ways of allocating these are being sought. As the cerned with vulnerability of IT infrastructure (e.g. to
Internet essentially grew out of a US research network, the 'millennium bug').
the US National Science Foundation set the original
name allocation system up, but the US Government is MAINTAINING THE DEBATE
seeking to privatise these functions, introduce compe-
tition and make them more accountable to the user Internet commerce interacts with many programmes in
community. government, between governments, within interna-
tional organisations, and within national and interna-
There are many different communities that use the tional business. In the UK, DTI's Information Society
Internet - individuals, academics, business and, in- Initiative is central and brings together such pro-
creasingly, governments, etc. and finding a consensus grammes as 'IT for All', the ISI Programme for Busi-
on this is proving difficult. Domain names can have a ness, and the 'Enterprise Zone'. DTI acts within the EU,
high commercial value, and there are an increasing and is also the conduit for UK input into current
number of disputes over registered 'trade names' etc. discussions in the OECD on common approaches,
The proposed replacement for the current system with while the UN is also involved via the UN Commission
US private registrars has caused concern, particularly in International Trade Law (UNCITRAL) and WTO.
outside the USA, and the Internet’s Policy Oversight UK industrial views are now being developed through
Committee, has put forward proposals to increase the such bodies as the Alliance for Electronic Commerce.
number of names available, and to diversify their man- At the European level, the lobbying over the Copyright
agement into a more international framework. This and Liabilities Directives by Internet and Telecoms
issue is not yet resolved, but again emphasises the providers on the one hand and by publishers and
importance of developing a timely EU-wide view so content providers on the other, is particularly intense.
that foreign users of the Internet are not disadvantaged Meanwhile the Internet also has the potential to trans-
- perhaps through 'the Bangemann proposals' for a new form the relationship between the citizen and the state
international framework for Internet management, as well as the way in which public services are organ-
along the lines of other international bodies such as ised and delivered3. All these aspects of electronic
OECD and WIPO. government provide much material for parliamentary
Parliamentary Copyright, 1998. (Enquiries to POST, House of Commons, 7,
3. For example, POST's reports "Information Superhighways" in 1995 Millbank, London SW1P 3JA. Internet http://www.parliament.uk/post/home.htm)
and "Electronic Government" in 1998.