Select Committee on European Union Written Evidence

Memorandum by The National Computing Centre Limited


The National Computing Centre[88] offers the following responses to the House of Lords inquiry:e-Commerce: Policy Development and Co-ordination in the EU.

What needs to be done to create confidence and to stimulate e-commerce?

  An approach which recognises the virtuous circle which will be created by involving all stakeholders. We must be cautious of concentrating the focus on trust service providers alone.

Will codes of conduct and co-regulation provide sufficient protection? Is there a case for intervention by national governments and the EU?

  The business and legal community are making considerable steps in creating the e-commerce framework. They require national and EU government to intervene to create, modify, or repeal laws which do not support the cross-border opportunities offered by e-commerce.

Should existing EU institutions' internal structures be changed, or new ones created to improve policy development and co-ordination?

  e-Commerce is a conglomerate of existing information technology, business and communal opportunities. Existing institutions should be strengthened to support and grow the infrastructure.

How can structural change be brought about fast enough to accommodate to the growth of e-commerce?

  Revolutionary change should be avoided. e-Commerce has been used by many organisations for many years and it is to these organisations we should turn for the case studies and lessons learnt from which policies for change may be derived.


2.Trust in e-commerce
3.An Overview of the Proposed Scheme
   3.1Under Development
   4.1What the Consumers Want
   5.1Who's Who?
   5.2Marks out of five
6.Trust Service Providers
   6.1Trust in TSP
7.Awarding Authorities
   7.1The CAFE Model
8.Regulatory Authority
   8.1Will We Need One?
   10.1Advantages from the CAFE Scheme


  This paper specifically addresses the following questions posed by the House of Lords inquiry:


  (1)  What needs to be done to create confidence and to stimulate e-commerce?

  (3)  Will codes of conduct and co-regulation provide sufficient protection? Is there a case for intervention by national governments and the EU?

  (5)  Should existing EU institutions' internal structures be changed, or new ones created, to improve policy development and co-ordination?

  (6)  How can structural change be brought about fast enough to accommodate to the growth of e-commerce?

  It regards e-commerce as being built on the following foundations:


  The National Computing Centre Limited (NCC) was established in 1966. NCC is a membership organisation, a company limited by guarantee and an independent research and technology organisation. NCC's activities concentrate on supporting and developing research programmes, which generate new knowledge on the effective use of IT and provide a cost-effective gateway to knowledge, participation, and services for its member companies. Supporting activities include the development, supply and support of data management software.

  NCC has no shareholders and all profits are reinvested to promote the more effective use of Information Technology.

  NCC's primary products are knowledge, skill and experience. NCC's membership services provide products and services to NCC members that seek to meet their needs for timely, comprehensible and reliable information on current and emerging issues relating to the use of IT to support business and organisational requirements.

  As champions of the user, the National Computing Centre is concerned that despite proposed levels of excellence, the focus of e-commerce policy is biased towards the supplier community and within this, concentrated on the Trust Service Providers.


  Trade information, goods, or money with someone you don't know? It's hard enough to do this when you know that you can stroll into their shop, office or factory to discuss terms or possibly iron out a problem. What if their premises are in the next town, another European country, or on the other side of the world? How can you be sure that they have registered premises at all?

  The designs in this paper will not guarantee the total elimination of all risks, but they can reduce the risk of danger to an organisation and individuals from fraud, negligence, or even just common human error. It can underpin any emerging e-commerce infrastructure and allow it to grow.

  The Consumer Assurance Framework for e-commerce (CAFE) is a scheme to promote trust in e-commerce. Trust underpins all other aspects including access and understanding. It will allow consumers to have confidence in Internet transactions. CAFE will deliver a method for business to manage the selection and retention of Trust Service Providers (TSPs), and a code of practice for the stakeholders themselves. It will ultimately deliver a package to promote excellence in electronic commerce and create a hub for international electronic business.

  CAFE will pave the way for effective e-commerce through standards, certification and education, for business to implement and for consumers to make well-informed choices. Such a virtuous circle will help to produce a truly market-driven environment.

  It is also important to recognise that the scope of electronic commerce extends beyond the popular image of credit card transactions over the Internet. Knowledge trading is one other example. The use of micro payment systems is another. The definition in the recent Cabinet Office report ( is excellent as it summarises the activity without the distraction of financial activity:

    "Electronic commerce is the exchange of information across electronic networks, at any stage in the supply chain, whether within an organisation, between businesses, between businesses and consumers, or between the public and private sectors, whether paid or unpaid."

  CAFE will embrace this definition by building on the foundations set out in the diagram below. CAFE will draw together the supplier led initiatives such as tScheme for Trust Service Providers, TrustUK for traders, and the financial institution-based Identrus.


  The proposed scheme envisages the following stakeholders in e-commerce, all of whom will benefit from a formal scheme whether voluntary or enforced by legislation.

    —  Consumers;

    —  Suppliers;

    —  Trust Services Providers;

    —  Awarding Authorities; and

    —  Regulatory Authorities.

  The proposed scheme would allow for a stakeholder taking on different roles pertaining to different relationships with other stakeholders. For example, a customer of one stakeholder may be the supplier of another. CAFE is an umbrella, and a focal point for other initiatives which concentrate on single aspects of the supply chain.

3.1  Under Development

  CAFE is a research and development project of the National Computing Centre. Some of the ideas in this paper may become part of the final specification but currently, all are just suggestions and examples of how the proposed scheme may operate.

  The National Computing Centre has identified the need for CAFE to allow IT business users to find their way through the many pathways which lead to e-commerce in all its forms. CAFE recognises that there are national and private schemes, and proposals, being announced from all quarters; CAFE will bring the issues back to street level, in practical terms, which can be understood by the ordinary business community. For some, EDI will continue to be the way forward, for others it may be XML to refer to only two pieces of the jigsaw. It is important not to be distracted by one company selecting a different solution over another. Summary rejection of established standards is throwing the baby out with the bathwater—"progress is bad things happening faster" some may say.[89] If the community is to become a centre of excellence, it must pool its strengths and present a picture which will make the world confident when it clicks on domains in the EU. CAFE can provide these credentials.


4.1  What the Consumers want

Consumers want to be able to make informed choices and this means that they will need reliable information on price, quality and the safety of products. They need to know about returns policies and other contractual rights.

  Electronic commerce is not new but the opportunity for many individuals and companies freely to do business with each other electronically is, thanks to the rapid growth of Internet and related technologies.

  Purchasing electronically or passing sensitive information over the Internet needs to be underpinned by a simple mechanism to instil confidence. The proposed scheme will deliver a tiered level of certification (such as the proposed online "hallmark") for Internet sites to which information may be sent safely. This would initially be identified by an "approved site" symbol. A developed scheme would successfully negotiate with Internet tool (such as browsers) providers to incorporate an electronic certification mechanism that would warn customers of the security rating of a site.

  CAFE will research and define the user requirements for the security and integrity of e-commerce transactions. This may be based on already accepted work.


5.1  Who's Who?

To draw a diagram which shows the range of activities going on in electronic commerce and relate that to the many roles within those activities would probably produce a figure as complex as the Internet itself.

  On the Internet, one supplier may be the customer of another whilst receiving its Internet services directly from that supplier. Another organisation may receive the same services through an independent third party. Or more simply: suppliers who trade electronically may provide their own service or use a trusted third party. The same site certification rules would apply in both instances. Suppliers would be expected to make trading only available from sites which were "stamped" with the accredited symbol. To receive permission to use an accredited symbol, a supplier would need to comply with certain rules contained in codes of practice; different codes of practice would be required for the different situations.

5.2  Marks out of five

  When the UK Government called for comments on its proposed electronic commerce strategy, industry raised the concern that award schemes require high investment from those seeking certification.

  CAFE proposes a tiered approach which will allow organisations to select a level of certification commensurate with levels of business risk. It will also apply opportunities for self-assessment which will require no external costs to the organisations involved. Individuals may be able to make informed choices after thinking through a few short questions which could be printed on a mousemat.

  For example:

GradeMeans . . .

1Complies with basic codes of practice
2Complies with advanced codes of practice
3Complies with advanced codes of practice and BS 7799
4Complies with advanced codes of practice and BS 7799, ISO 9000
5Complies with advanced codes of practice and BS 7799, ISO 9000, and rules of recognised regulatory authorities such as the British Banking Association, the Financial Services Authority, and the Association of British Insurers

  Alternatively, these grades could be translated into simple checklists that can be applied by users with varying levels of expertise to carry out a risk assessment of what they are trying to achieve by e-commerce.

  CAFE would bring under its umbrella the best practices from around Europe and, if appropriate, beyond. This would serve the very important purpose of building on current successes and the experience of IT practitioners and the users in the different fields of commerce, and the supporting professions. It will be important to recognise the e-business opportunities are built on new ways of doing the activities that have been in place for centuries.

  CAFE would bring national initiatives such as TrustUK into the framework.


6.1  Trust in TSP

  The hub of the proposed scheme will be a set of rules or guidelines (depending on the market drive for a mandatory or voluntary code of practice) for Trust Service Providers. Certification or accreditation against these rules would be tiered to allow for different grades of transactions (for example: sensitive or non-sensitive information) and different grades of service provider, as shown in the table below.

  This will allow for truly third-party encryption services and (say) a large corporation which wished to offer products and services to its customers over an "extranet".

  The proposed scheme would award ratings based on the level of independence of the services provider and the technologies that are offered. The proposed scheme would be sufficiently flexible to incorporate current technologies and encompass future innovation. The rating system would allow service providers to gain low-level accreditation easily, and then build up the level of approval commensurate with the opportunities its market offers. This will minimise the cost and potential bureaucracy of the early accreditation.

  Ratings for the service providers would work like the system for suppliers. However, a higher entry level would be expected.

  For example:

GradeMeans . . .

1It would not be appropriate to make low grades available for Service Providers
2It would not be appropriate to make low grades available for Service Providers
3Complies with advanced codes of practice and BS 7799
4Complies with advanced codes of practice and BS 7799, ISO 9000
5Complies with advanced codes of practice and BS 7799, ISO 9000, and rules of recognised regulatory authorities such as the British Banking Association, the Financial Services Authority, and the Association of British Insurers

  CAFE would bring national initiatives such as tScheme into the framework.


7.1  The CAFE Model

  Accreditation of service providers would be through suitably qualified assessment bodies. These assessment bodies would in turn be accredited to certify service providers by a "regulatory" or "guiding authority". This will be a self-supporting scheme by charging for their services (cf. ISO 9000 and BS 7799). See the figure below.



8.1  Will We Need One?

  CAFE will include methods for self assessment by contributors to the supply chain. CAFE will also use similarly accessible methods for individuals and organisations to carry out second-party assessments of good practice to manage the risk in procurement decisions. These may be applied using fast-track, short checklists or more in-depth analysis.

  After initially establishing the proposed scheme, NCC may hand over the running of the proposed scheme to a suitable organisation; the United Kingdom Accreditation Service (UKAS) may be approached. It may be appropriate to expand the remit of (say) TrustUK. This level of the model will very much be governed by industry opinion and detail of legislation. The success of the proposed scheme will rely on:

    —  the manageability of the codes of practice;

    —  legislation or market driven;

    —  the credibility of the hallmark/certificate;

    —  the independence from any market sector;

    —  the independence from any part of the model: suppliers, consumers, service providers etc;

    —  feedback from the public either directly, by survey, or investigation into (say) types of litigation or alternative dispute resolution, to test the effectiveness of codes of practice and purchasers decisions based on them.


  There is already significant work being done nationally and internationally which CAFE will collate and direct to the diverse stakeholder participants of e-commerce. As a corollary, CAFE will also make contributions to organisations such as the Global Business Dialogue and the World Intellectual Property Organisation. These organisations are already providing direction for the e-commerce agenda; CAFE will take a positive, pragmatic view to steer through the industry enablers and political policy makers to provide practical guidance to the doers. The flexibility and scalability of the CAFE framework means that the scheme can provide a practical vehicle for e-minister or e-envoy to deliver whatever the social and economic agenda suggests.

  At least some of the cloud of uncertainty which surrounds e-commerce is clearing. This is happening through traditional processes and so validates the need for the framework. Recent reports have identified that good e-commerce is susceptible to the same mistakes as any other discipline. Project planning procedures must be in place and reviewed in no less detail than (say) traditional engineering projects. The wide variety of user types means that social implications must be considered even more so than an application which is rolled-out in company. CAFE will take note of the trends for e-commerce uptake so that implementers can scale their e-commerce to fit with the outlook and keep the business model up to date. Initial research for CAFE already suggests that business should be wary of whirlwind romances with innovative technology which may alienate them from the silent majority of loyal customers who may take longer to woo to the Internet; some may never make the transition, others may have another electronic path which may be equally as effective for the activities in hand.


10.1  Advantages from the CAFE Scheme

This proposed scheme will develop mechanisms that:

    —  are eminently scalable, and easily customised to fit the needs of the e-commerce market place as a voluntary or a statutorily backed scheme;

    —  are based on guidelines already internationally endorsed by users, solicitors, lawyers and trusted third party organisations;

    —  will contain a framework into which additional licensing criteria can be slotted or impractical licensing criteria removed;

    —  will provide an umbrella for any other standardisation, legislation, or voluntary practice required for technically detailed areas such as encryption, digital signatures etc. Also, insurance for transactions may be considered depending on the use of accredited services;

    —  the opportunities for contributing and encouraging the e-commerce market are shown in the figure below.

  These will provide the yardsticks to measure conformity to the CAFE model. This is another feature keeping CAFE in line with recent reports: an opportunity for a time-based (say annual) status report, providing key indicators for continuous improvement.


  (Conclusions as at Summary)

21 February 2000

88   Daniel Dresner, Head of Standards, The National Computing Centre Limited, Oxford House, Oxford Road, Manchester M1 7ED, Telephone: 0161 242 2352, Fax: 0161 242 2499, E-mail: Back

89   As popular author Terry Pratchett writes. Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000