European Commission to regulate website authentication

I have blogged before on the Commission proposal to regulate electronic identities and trust services but it was not until a EURIM workshop on monday to collate members concerns that I appreciated the enormity of what is proposed. The preamble alleges that the draft builds on extensive consultations but it is clear that few of those who might be affected were aware of these and the resultant draft is open to wodely differing interpretation practical meaning of what is proposed.

Some of the mandatory requirements are breath-taking, such as the state provision of on-line, uninterruptible, uncharged electronic identifcation authentication routines for which they accept liability to the third parties who use these (Article 5). Others are feeble in the extreme, such as accessibility to Trust Services by those with disabilities "whenever possible".

The requirement for supervisory bodies raises many more questions that it answers while the section on electronic signatures would appear to undermine the whole basis of international trade (where the technology neutral "common law" routines have been clear for well over a century since the cases on whether a cable authentication was a signature).

What most shocked me, was, however, the requirements (Article 37) for qualified certificates for website authentication. It revealed a mindset behind the draft that appears worthy of a disciple of L Ron Hubbard .

Overall the other concerns raised by EURIM members could be summarised as:

1. Lack of clarity on key definitions

This caused confusion because different parties had interpreted the meaning of parts of the Regulation in different ways. This was particularly apparent where liability was involved.

2. Lack of collaboration

Given that public consultation is over and this is now being handled on an inter-governmental basis, how do corporate members work together to submit consensus feedback to EU governments on the potential impact of the regulation?

3. Lack of global perspective

The regulation lacks a global perspective. For example "website authentication" certificates are among the electronic IDs covered by the regulation. This may be "logical" but raises many issues regarding existing routines for global e-commerce, including the use of "authenticated internet addresses" (including those linked to the use of trusted computing modules, geo-location data, transaction footprints etc.) as "signatures".

4. E-crime and fraud

The regulation and proposals regarding co-operation to address e-crime and fraud must be aligned.

5. Framework

We need a clear and unambiguous framework for looking at Trust services covering people, applications, software and "things" (as in ubiquitous computing and the Internet of Things). The regulation will fail if there is no trust in who or
what is behind a credential: e.g. how much can the UK "trust" a Ruritanian credential.

6. Overkill

The business world already has working solutions to many of the supposed problems and is developing solutions to others. There is a real risk that the regulation may prevent "real world" progress.

The dynamite is 2) above: the assumption that the time for public consultation is over and this is now an inter-governmental matter. Later on Monday, after its AGM, EURIM held a reception that was attended by many of those involved in running cross-border transactions both within the UK and around the world. Lord Erroll, Syed Kamall MEP and Stephen McPartland MP all spoke on the need for industry to work together to educate politicians and officials and to use EURIM as one of the most effective umbrellas for organising the joined up scrutiny of well-meaning but screwed up proposals.

The acronym EURIM originally stood for European Informatics Market, the mythical "digital single market". It has now agreed memorandums of understanding with PICTFOR (the UK all-party parliamentary group concerned with IT and Internet matters) and the European Internet Foundation. The new Director of the European Internet Foundation was at the reception to discuss forward co-operation before returning to Brussels for a meeting to discuss follow up to the Digital Assembly.

As part of the forward programme of co-operation, EURIM will be organising "joined up" inputs to the scrutiny of the draft Data Processing and Electronic Identity Regulations and the draft Payments Directive . By "joined up" I mean looking at proposals in context to illustrate how they interact and should be used to facilitate, as opposed to in the way of, the creation of a globally competitive digital single market.

Last night material from workshops to summarise members' concerns on all three was being presented in Brussels with the promise that over the next few months the relevant EURIM working groups will put flesh on those summaries and assist the Commission, UK Departmental and Parliamentary scrutiny processes in London and Brussels.

If you are serious about wishing to do intra-EU cross-border trade within the EU, without having to route your transactions via the US so as to avoid the overheads imposed by ill-considered regulation, the time has come to work alongside your peers to inject some common sense into policy formation and scrutiny. Of course you will not have the time to spend on meeting after meeting in processes that are designed to exhaust opponents into compliance. Hence the reason for using EURIM working groups to farm out the work while providing continuity of effort.

The process does, however, require professional support, including rapporteurs like the excellent Dr David Wright (who applies the same rigour to political issues as to carbon sequestration in his academic career). This has to be funded. Hence my support for the efforts of my successor as Secretary General (Dr Edward Phelps) in telling our many fellow travellers that the time has come to JOIN and help cover the cost. It is a lot cheaper that the consequences of living with "ignorance in motion".

And if the finance director says you have to hunker down and get next quarter's revenue target, just remember the side benefits from working alongside your customers, your suppliers and your peers, whether partners or competitors or both (depending on the business in prospect). On monday night I heard the happy buzz of business introductions being made - I myself one introduction (both players at main board level) that may well lead to a multi-million pound commercial co-operation on the "greening" of shopping malls in three member states.