Previous SectionIndexHome Page

Ms Hewitt: It will help if, before I address Government amendment No. 4 and amendment No. 12, I briefly remind the House of the reasoning that gave rise to clause 13, and especially subsection (2). Clause 13 puts into effect the policy that the Prime Minister has stated, with which the hon. Gentleman agrees--that

Those are words that the Prime Minister used in Cambridge in September, when he launched the performance and innovation unit report on electronic commerce. We have honoured those words. As a consequence, we introduced a specific clause to the Bill. I believe that the clause has been welcomed both in the House and by business at large.

The clause places a restriction on any conditions of an approval that might be made under part I, or regulations or orders made under any powers in any part of the Bill. No one can be required to deposit any encryption key--that protects the confidentiality of their information--with a third party. A key refers here to anything relating to electronic data which allows access to electronic data, such as a password, or allows the electronic data to be decrypted, such as a private key.

The clause not only rules out a requirement for the physical deposit of a key, but prohibits a requirement for anything to be done that would have the effect of making a key available to another person. That would include the imposition of any key storage technology, which would allow someone else to recreate or gain access to one's key.

Two special cases are outlined in subsections (2)(a) and (2)(b). They do not in any way limit the prohibition on key escrow, but they do make it clear that that prohibition does not preclude two common-sense requirements.

5.15 pm

Clause 13(2)(b) does not reintroduce key escrow. Instead, it addresses the need to be able to insist on some alternative to key escrow, so that important information

25 Jan 2000 : Column 176

that has been encrypted remains accessible, even if the key is lost. It does so because orders made under clause 8 will enable information to be stored electronically, and we need to consider what requirements could be made for people to store information where they had opted not to store their encryption keys with another person.

Mr. Duncan: Who does the Minister envisage might be able to take advantage of that power under the order? Will it only be public bodies, or agencies of Government, or might it also be private corporations?

Ms Hewitt: We are dealing with situations that might arise, for instance, under orders made under clause 8, and in most cases those orders will, I think, concern other public bodies. However, let us take the situation where there is a statutory requirement to retain important records, such as records of rail safety or of nuclear power stations. If the order made under clause 8 would enable that information, where there is a statutory requirement to keep it, to be kept electronically, one must provide for the possibility that, in years to come, the key that would enable that information to be accessed and rendered intelligible would be lost. The computer that held the key might be destroyed, or the only individual who had the copy of the key might die.

Under clause 13, we have prohibited the imposition, in a clause 8 order, of any requirement that the key to those data be stored with a third party. However, if the holder of the information does not choose to store the key with a third party, the clause 8 order can require him to take other steps--such as placing a second copy of the information in plain text in a bank vault. Some other security measure not involving mandatory key escrow would have to be taken, to protect future access to important data that had been encrypted. That is the point of clause 13(2)(b).

Amendment No. 4 is a Government amendment that I tabled in order to meet the undertakings that I gave during the fourth sitting of the Committee, on 16 December. The amendment means that the arrangements permitted by clause 13(2)(b) relate to the information represented by the data rather than the data themselves. In other words, the requirement could be met by storing a paper copy of that information, or perhaps storing the information in a readable form on a disk, locked in a safe. In other words, there would be a range of alternatives to key escrow, from which the person holding the information could choose, in order to protect against the loss of a key or that key's becoming unusable.

The amendment also confines the arrangements about accessibility to records that are provided for under a statute or subordinate legislation. That would include a paper record specified under other legislation, or electronic records covered by an order made under clause 8. It does not cover circumstances where there may be provisions about communicating data but no provision about keeping a record.

I take the opportunity to clarify a related point, raised in Committee by the hon. Member for Guildford (Mr. St. Aubyn). He asked whether clause 8 could be used to impose electronic storage requirements where there was no current paper storage requirement. The answer is yes. That is reasonable because, as circumstances and processes change, it may well be sensible for people to be

25 Jan 2000 : Column 177

required to store electronic records where, in the past, there was a general understanding, but not necessarily a specific requirement, that they should store paper records. The Bill will afford flexibility, as people become accustomed to the electronic way of doing business.

I hope that I can persuade the hon. Member for Rutland and Melton (Mr. Duncan) that amendment No. 12--although well intentioned--is unnecessary because the existing text addresses a perfectly common-sense need in a satisfactory way. Clause 13(2)(a) would allow an order under clause 8 to require the deposit of a key with the intended recipient of an electronic communication. That is the crucial point. It is only the intended recipient who must have the key. In other words, we are not dealing with key escrow which, by definition, involves giving a key to a third party.

As the hon. Member for Rutland and Melton has said, if information were supplied in an encrypted and unintelligible form so that the intended recipient--the Inland Revenue or some other Government Department, for example--did not understand it, the communication, for all practical purposes, would have been frustrated, even though technically the individual might argue that the statutory requirement to provide the information might have been fulfilled.

The Ministry of Agriculture, Fisheries and Food may want to provide that owners of abattoirs could communicate with the Ministry electronically. Because of the sensitivity of the information to be disclosed and the importance of the identity of the sender, the Ministry might insist that such communications were effected using a particular type of technology--perhaps the abattoir owner would use a smart card, or some hardware token. That might have the effect, or purpose, of transferring the encryption key on the smart card for those messages to the Ministry, so that the information could be read. Clearly, it would be odd if the Bill were not to allow such technology to be specified.

I assure the hon. Member for Rutland and Melton that this is not key escrow. There is nothing sinister behind this measure. It is for the protection of the citizen that technologies sometimes may be specified in a clause 8 order that are sufficiently secure to protect the confidentiality and integrity of the information being communicated. The technology might involve encryption mechanisms where encryption keys--sometimes referred to as session keys--are shared between the counter-parties.

Amendment No. 12 would have a similar effect. Since the intended recipient would need to be satisfied about how he was to render the data intelligible, the clause 8 order would have to address that need. It still would be possible to require that a person used a particular technology or went through a particular process; therefore the requirement might well be met in the most obvious way by the deposit of an encryption key with the intended recipient.

I know that the hon. Member for Rutland and Melton wants to ensure that the drafting of the Bill is as simple as possible. However, in this case, the existing drafting is clearer than his amendment. On the basis of that

25 Jan 2000 : Column 178

explanation and my assurances on mandatory key escrow, I hope that the hon. Gentleman will feel able to withdraw his amendment.

Mr. Duncan: I am grateful to the Minister for her assurances, and I agree that the key words in the Bill are "intended recipient". On the basis of her assurances, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Amendment made: No. 4, in page 13, line 42, leave out "of making the data" and insert--

"that the information contained in a record kept in pursuance of any provision made by or under any enactment or subordinate legislation becomes".--[Ms Hewitt.]

Order for Third Reading read.

5.23 pm

Ms Hewitt: I beg to move, That the Bill be now read the Third time.

The Bill will help make the UK the best place in the world for e-commerce, and puts in place the right legal framework. It is fitting that this modernising Bill should be one of the first new laws of the 21st century. Just as this country led the world in the first industrial revolution, we are determined that we will be winners in the new knowledge-driven economy.

The Bill will lay sound foundations for Britain to become a dynamic, knowledge-based economy. Bill Gates described the Bill as "the model for Europe". We plan, through the Bill, to be one of the first countries to implement the EU electronic signature directive, so that British firms can benefit from the emerging online single market. A few days ago, Intel announced a $150 million investment to establish a major server farm in the Thames valley to meet the growing need for internet access across Europe. That and many other such inward investments are confirming the UK's position as Europe's e-commerce hub.

The Bill is the result of an extensive process of consultation with business and the IT industry.

Next Section

IndexHome Page