مقررات تجارت الکترونیک : یادگیری از قانون تنظیم قدرت های تحقیق بریتانیا

National governments have a legitimate rôle to play in the development of national strategies to support electronic commerce. It is not always clear, however, what any electronic commerce legislation should incorporate or how regulation of electronic commerce should be implemented. This paper explores the strategic issues that underlie national electronic commerce strategies by following the passage of a particular piece of legislation (the UK's Regulation of Investigatory Powers Act, 2000) through Parliament. In identifying some of the arising strains with the interests of industry and civil society, this paper will discuss some of the legal, technological, economic, and political issues that may arise in other countries as they consider the policy habitat of electronic commerce.

Electronic commerce is perceived as an important element of most developed economies. As a result, most governments are taking an active rôle in determining the regulatory environment surrounding the implementation and development of electronic business. The choice of regulatory intervention depends upon the form of the political economy in the particular jurisdiction together with perspectives on how and why regulation should be implemented for this form of economic activity. This paper seeks to explore the complexity of developing a regulatory environment or habitat (Hood, 1994) for electronic commerce. It does this by focussing on a particular piece of legislation from the UK, the Regulation of Investigatory Powers (RIP) Bill that received the Royal Assent on July 28th 2000. This can be seen as one of the strategic measures undertaken by the British government in an effort to provide a level playing field for electronic commerce in the UK. The Bill was one of the most highly contested pieces of legislation to be placed before the British Parliament in recent years. From the outset, the government argued that it was well thought out, having been the result of detailed engagement with ‘serious commentators’ (Clarke, 2000b). However, the business community, and privacy advocates, undertook a major political activity to try and change the legislation in a number of its key areas, suggesting that despite the best efforts of the government, there were still many viewpoints on the process that hadn't been understood properly or taken into account fully. The controversy surrounding the introduction of this piece of legislation indicates the inherent complexities surrounding the regulatory habitat (Hood, 1994) for electronic commerce. The Bill highlighted the conflicting requirements of secure communication and access requirements of law enforcement agencies; the problems of legislating in a rapidly changing technological environment; the need to minimise the costs and risks of any proposed legislation; the goal of maintaining the human rights of those affected by the legislation; and doing all this in a global context. In order to understand these issues the paper draws on theories of regulation. Research on regulation typically seeks to address three main questions: Why is regulation introduced for an area? How is the form of the regulatory intervention determined? How is the process of introducing and implementing the regulation managed? This paper presents the case of the British governments' attempts to arrive at a regulatory regime, and how the strategies shifted due to conflicts and opposition. This is particularly observable within the process of passing the RIP Bill, which is then investigated in detail, through analysis of public discourse and parliamentary Hansard. Section 2 reviews the traditional arguments for government intervention through regulation and introduces the key issues that any understanding of regulation must address. Some initial responses to these issues are then presented, before reviewing the broader context of policy making on cryptography in the UK. This policy debate led to the RIP Bill and the paper then reviews the decisions made about the research method before describing the Bill in Parliament and the issues it raised. Through a presentation of the Parliamentary debate, the paper highlights those areas of the Bill that were changed and the reasoning behind the changes, together with those aspects that were left unchanged despite protestation. The paper ends with a discussion of the lessons learned about the regulation of electronic commerce from the experience of the RIP Bill.

The goal of this paper has been to outline the challenges in establishing a policy habitat to support electronic commerce. By reviewing the specific case of the UK, from its first mentioning of the regulatory intents regarding encryption in 1996 through to the Royal Assent of the Regulation of Investigatory Powers Act in July 2000, some strategic issues can be determined.There are many possible explanations for the introduction of the RIP Bill. One was the need to update the Interception of Communications Act, both as a result of technological advances and in order to comply with the new Human Rights Act. The felt need for government to support electronic commerce also contributed, as did the Home Office's concerns with the proliferation of encryption techniques that were necessary for electronic commerce, but also more available because of the Internet. The changing shape of the market place also had an impact as new businesses outside the scope of existing legislation, for example, Internet service providers, were becoming major players in the economy and in the provision of communications services. Earlier interventions in the electronic commerce arena had taken various forms. An initial attempt at regulation of one element of electronic commerce was attempted, i.e. the mandatory licensing of Trusted Third Parties. This, however, was not successful and was replaced by a voluntary regime which was ineffective in practice. The DTI then introduced regulatory interventions in the form of the Electronic Commerce Bill, and sections were later divided between the Electronic Communications Act and the Regulation of Investigatory Powers Act.After the draft electronic commerce bill was split in two, the Home Office took over the more contentious aspects that related to law enforcement issues. This was a result of a great deal of controversy over concerns that surveillance considerations were overriding legitimate regulatory needs within electronic commerce. The Home Office assumed responsibility for the surveillance aspects with its own update of the Interception of Communications Act 1985. However, unlike the DTI and the Cabinet Office, the Home Office's expertise is not in liasing with the business community and many of the problems the legislation faced could be seen to arise from this, as the industry opposition was intense (BCC, 2000 and ISPA, 2000). By studying the progress of the regulation from 1996, and particularly the trajectory of the Bill through Parliament, it is possible draw lessons from the experience of the British Government. In particular, it is possible to highlight five issues that similar legislation may have to address as other countries try to establish similar policies (as is currently occurring in Australia, France, New Zealand, South Africa, and is occurring in international conventions such as the Council of Europe (2001)). First, there is the conflict between secure transactions and the need for certain bodies to be able to access them. Governments will wish to update (Hosein, 2001) their laws to deal with secure transactions enabled through encryption, but there are at least two clear interests at stake: encryption supports electronic commerce and shields criminal activity. UK acknowledged this from its very first articulation of encryption policy, but then spent many years realising that dealing with criminal activity through regulation affected electronic commerce as well. Even when the initiatives were split into two separate statutory instruments, the law enforcement instrument, the RIP Bill, still contained measures that affected electronic commerce.Second, the articulated costs and risks of implementing any such lawful access capabilities will have an impact on the growth of Internet activity in the country. The first set of proposals from the British government involved an onerous regulatory regime of trusted third parties, and the costs and risks associated with operating such an institution were considered too high for the market to adopt, amongst other reasons. The earlier proposals also failed to differentiate between the types of keys, such as signature and encryption keys, and as a result introduced risks to electronic commerce (Abelson et al., 1998). Under access provisions in the RIP Bill, the risk of key disclosure and misuse were concerns of industry (as articulated in the BCC report (2000)). The settlement was the establishment of a liability minimisation regime, and notice sent to corporate directors in the case of keys belonging to employees that were accessed and specific keys.Third, the practical implications of seizing encryption keys for ongoing surveillance leads to interesting technological and human rights implications. The technological issues were addressed with the granularity of the keys: after amendments, individuals can now select which keys are disclosed (subkeys, session keys, etc.). The human rights issues involve particularly due process considerations. This includes an authorisation process for accessing keys where a judge signs the warrant (as promised in the Labour Manifesto), or the Home Office Secretary signs the warrant (as in a failed amendment); the treatment of reverse burden-of-proof of lost/destroyed keys, which was addressed to some extent in an accepted amendment; and the issue surrounding self-incrimination, which has not yet been resolved. Other countries with differing respect for human rights and due process (the US is among the highest with this regard to due process, less developed countries often have the least regard) may interpret and develop policy around these issues differently but will at least have to consider them. Fourth, governments must attempt to legislate within the context of a rapidly changing technological environment. Often times in the Hansard the parliamentarians noted that all these issues would have to be revisited as the technology continued to change. Moreover, bypassing the statutory powers of RIP is not technologically challenging, and as a result the Act may have to be revisited to increase its applicability; as this was addressed late in the parliamentary debates, the line of questioning was dismissed. The model of regulation selected by the British government is designed ideally for such revisiting, however: primary legislation, being the RIP Act, and associated Codes of Practice that are still being negotiated even over a year later.Finally, the reality of a global infrastructure and the nature of commerce involving information and communication technologies implies that regulation that imposes too much on industry may result in a situation of regulatory arbitrage as companies or services move off-shore. This was raised particularly by the BCC report how companies may choose to store their keys off-shore where they may not be compromised by the British law enforcement agencies; or more simply technical solutions can be found to place keys just beyond access. The most interesting articulation of this issue was the rejected amendment to remove the government access to keys provisions in a sunset clause if other countries failed to adopt similar legislation. On the last day of debate before Royal Assent, Mr. Clarke defended the bill and the global implications:After the Bill receives Royal Assent, we shall work with the industry—and the Opposition, if they are willing—to promote it both in this country and internationally. Given the comments made in the overseas media, we must explain clearly what the Bill is and is not, and why we do not believe it poses a threat to e-commerce in Britain; on the contrary, it will help to achieve the Government's aim of a strong and secure e-commerce economy, to which we are all committed.Propaganda is needed, and I hope that the whole House will help to promote the interests of this country's businesses when the time comes. The point is being pursued in the Council of Europe draft convention on cybercrime (as critiqued in (Global Internet Liberty Campaign, 2000)), which contains ambiguous statements regarding lawful access (Council of Europe, 2001, article 19.4), and as other countries pursue similar regulatory regimes, the British may not be alone for much longer with these powers, and resulting in less countries for industry to which to relocate. These strategic issues that arise in the creation and settlement of national policies on electronic commerce are not unique to the UK. Varying consultation processes in other countries may give rise to varying results and instruments, however it is our belief that many of the issues raised in this policy process will either be raised again in other countries, or other governments may learn from the pioneering experiences of the UK. Interpretive flexibility may result based on existing statutory environments (such as bills of rights and constitutions), applicability and decisions of criminality (what is considered a serious crime?), and the amount of consideration given to industry and electronic commerce interests (costs reimbursement and infrastructure considerations); but so long as there is consultation, debate, and discourse the strains and implications as seen in the UK may still apply. The technological environment surrounding electronic commerce, as articulated above, necessarily includes encryption and the Internet itself. Both of these technologies, and the according environment played a rôle in the development of the British policy as the technological environment is one of the key components to the habitat of electronic commerce policy. The traditional policy habitat of commerce has been transformed by renewed interest in technologies such as the Internet and encryption that are enabled and driven by electronic commerce; as a result the policy habitat of electronic commerce is different to that of traditional commerce. New regulations are thus introduced to deal with these new problems. Whether it is discussion of authentication and digital signatures or a discourse surrounding the surveillance capacities of the state, it is our contention that the lessons discussed above may be raised in other national legislatures when the time comes. Regulating this political, legal, technological, and commercial habitat is a challenge worthy of further study; as the UK has learned.