Cyberleagle Christmas Quiz

[Updated with answers, 1 January 2018]

15 questions to illuminate the festive season. Answers in the New Year. (Remember that this is an English law blog). 

Tech teasers 

1. How many data definitions does the Investigatory Powers Act 2016 (IP Act) contain?

Twenty-one: Communications data, Relevant communications data, Entity data, Events data, Internet connection record, Postal data, Private information, Secondary data, Systems data, Related systems data, Equipment data, Overseas-related equipment data, Identifying data, Target data, Authorisation data, Protected data, Personal data, Sensitive personal data, Targeted data, Content, and Data. 

2. A technical capability notice (TCN) under the IP Act could prevent a message service from providing end to end encryption to its users. True, False or Maybe?

Maybe. A TCN could require the provider to have a capability to remove electronic protection applied by it if, among other things, that is technically feasible. The most significant question is whether the message service provider is regarded as itself applying the E2E encryption. If so, then a TCN could possibly be used to require such a provider to adopt a different model. If the user is regarded as applying the encryption then a TCN could not be used. 

3. Under the IP Act a TCN requiring installation of a permanent equipment interference capability could be served on a telecommunications operator but not a device manufacturer. True, False or Maybe?

True. Device manufacturers are outside the scope of TCNs. If a device manufacturer provides a telecommunications service (for instance where a phone manufacturer also provides its own messaging service) then it could be within scope, but only for its telecommunications service activities. 

4. Who made a hash of a hashtag?

In an interview in March 2017 Home Secretary Amber Rudd famously referred to the need for assistance from those who ‘understand the necessary hashtags’.  A week later a Home Office Minister explained that she had intended to refer to image hashing, not hashtags. So strictly speaking she made a hashtag of a hash.

Brave new world

5. Who marked the new era of post-Snowden transparency by holding a private stakeholder-only consultation on a potentially contentious IP Act draft Statutory Instrument?

As required by the IP Act the Home Secretary consulted various specified stakeholders on draft technical capability regulations (see 2 and 3 above) prior to laying them before Parliament for approval. The consultation was conducted privately, excluding the general public and civil society groups. However the Open Rights Group obtained and published a copy of the draft regulations.

6. Who received an early lesson in the independence of the new Investigatory Powers Commissioner?

GCHQ. Its November 2017 approach to the Investigatory Powers Commissioner to discuss the possibility of a protocol for reducing evidential issues in Investigatory Powers Tribunal or other cases was politely but firmly rebuffed. 

The penumbra of ECJ jurisdiction
  
7. The EU Court of Justice (CJEU) judgment in Watson/Tele2 was issued 22 days after the IP Act received Royal Assent. How long elapsed before the Home Office published proposals to amend the Act to take account of the decision?

344 days. The Consultation was published on 30 November 2017.

8. The Investigatory Powers Tribunal has recently made a referral to the CJEU. What is the main question that the CJEU will have to answer about the scope of its Watson decision?  

Paraphrased, the main question is whether national security is excluded from the Watson decision as being outside the scope of EU law.

9. What change was made in the IP Act’s bulk powers, compared with S.8(4) RIPA, that would render the CJEU’s Q.8 answer especially significant?

In the IP Act the purposes for which the bulk powers may be exercised are all framed by reference to national security. In RIPA (as amended by DRIPA 2014) the serious crime purpose does not have to be related to national security. 

10. After Brexit we won't need to worry about CJEU surveillance judgments, even if we exit the EU with no deal. True, False or Maybe? 

False, at least if the UK wishes to have a data protection adequacy determination that would enable EU countries to transfer personal data to the UK. As the USA discovered in Schrems, a third country’s surveillance regime can be a significant factor in an adequacy determination.

Copyright offline and online

11. Tweeting a link to infringing material is itself an infringement of copyright. True, False or Maybe?  

Maybe, depending on whether (a) you know that the material is infringing; or (b) you are linking for financial gain, in which case you would be rebuttably presumed to know. This is the result of the CJEU’s decision in GS Media.

12. Reading an infringing copy of a paper book is not copyright infringement. Viewing an infringing copy online is. True, False or Maybe?

True, at least if what you do online is sufficiently deliberate and knowing.  EU copyright law treats screen and buffer copies as engaging the reproduction right. The CJEU in Filmspeler held that the user of a multimedia player add-on containing links to infringing movies infringed the reproduction right by viewing an infringing copy accessed via the link.  This was because, as a rule, the purchaser of such a player deliberately and in full knowledge of the circumstances accessed a free and unauthorised offer of protected works. This took the activity outside the Copyright Directive’s exception for transient and temporary copies. The same reasoning can be applied to an online book.

13. Whereas selling a set-top box equipped with PVR facilities is legal, providing a cloud-based remote PVR service infringes copyright. True, False or Maybe?

True. Established by the CJEU in VCAST, 29 November 2017.

14. Format-shifting infringes copyright. True, False or Maybe?

True.  Seven years after the Hargreaves Review identified this as an aspect of copyright that puts the law into confusion and disrepute, format shifting remains an infringement.

15. Illegal downloading is a crime. True, False or Maybe?

False. A user who downloads without the permission of the copyright owner commits a civil infringement of copyright, but without more that is not a crime.  In 2014 PIPCU (the Police Intellectual Property Crime Unit) deployed replacement website ads proclaiming that ‘Illegal downloading is a crime’. PIPCU later explained this on the basis that “Downloading falls within s.45 of the Serious Crime Act 2007 if it encourages s.107 CDPA 1988 offences”. 

Electronic wills: an idea whose time has yet to come?

Over the last four months the Law Commission of England and Wales has been consulting on the topic of Making a Will, focusing on testamentary capacity and formalities.  Chapter 6 of the Consultation is about Electronic Wills. This is my submission on that topic, from the perspective of a tech lawyer who knows little of the law of wills but has grappled many times with the interaction of electronic transactions and formalities requirements.

Introductory Remarks

Overview

1. The question at the core of Chapter 6 of the Consultation is how to give effect to testamentary intentions in an increasingly electronic environment. This has at least five aspects, which inevitably conflict with each other to an extent:

• Providing a reasonable degree of certainty that the testator intended the document in question to have the significant legal effects of a will. This is achieved by requiring a degree of formality and solemnity.
• Ensuring that formalities do not act as a deterrent to putative testators whether through complexity, cost, consumption of time or uncertainty as to how to achieve compliance.
• Minimising the risk of a testator’s intentions being defeated by an actual failure to comply with formalities or an inability to demonstrate that formalities were in fact complied with.
• Providing protection against fraud, tampering and forgery, either of the body of the document or of the signature(s) appended to it.
• Providing for all the above over the potentially long period of time between execution of the will and its being admitted to probate.

2. The tensions between these requirements necessitate a balance to be drawn that will not perfectly satisfy any of them, as is the case with the current regime designed for an offline environment.

Signatures versus other formalities

3. Although the focus of electronic transactions regimes tends to be on signatures, signatures should not be addressed in isolation from other relevant formalities[1]. As the Consultation Paper recognises, there is interaction and dependency between signature, form, medium and process. Although the Consultation Paper does not categorise them as such, for wills formalities of all four kinds exist:

• Signature: the need for signatures and the (possible) requirement that the signature be handwritten (Consultation Paper 6.20 to 6.30)
• Form: the caselaw requirement for an attestation clause if a strong presumption of due execution is to arise (Consultation Paper 5.11 to 5.12; confusion around the witness attestation requirement is addressed elsewhere in the Consultation paper.)
• Medium: the requirement that the will be in writing (Consultation Paper 6.15 to 6.19)
• Process: the presence and simultaneity requirements for witnessing (Consultation Paper 6.32); and the practical filing requirements for admission to probate (6.97).

4. However the Consultation Paper is not always convincing about the relative importance of these formalities.  Thus in bringing home to the testator the seriousness of the transaction, the ceremony of gathering two witnesses in the same room simultaneously to witness the testator’s signature would seem likely to be more significant than whether or not the signature is handwritten (cf Consultation Paper 6.48, 6.64). If it had to be done in the presence of two witnesses appending a signature to an electronic document using (for instance) a tablet would surely be no less a matter of consequence than applying a handwritten signature to a paper document.

5. The overall purpose of giving effect to the testator’s intention where electronic methods are involved may be achievable by an appropriate combination of all four kinds of formality. Not all (or even most of) the heavy lifting has necessarily to be done by the signature itself, any more than with a traditional paper will.

The function of a signature

6. The function of a signature is generally threefold: (1) to indicate assent to or an intention to be bound by the contents of the document, (2) to identify the person so doing and (3) to authenticate the document. (There are variations on these functions. For instance the signature of a witness does not indicate assent or an intention to be bound, but instead is intended to verify the signature of the party to the document.)

7. The difference between the identification and authentication functions can be seen if we consider the different kinds of repudiation that may occur. Identification protects against the claim: ‘That is not my (or X’s) signature’.  Authentication protects against the claim: ‘That is my (or X’s) signature, but that is not the document that I (or X) signed’.

Strengths and weaknesses of electronic signatures

8. As the Consultation Paper notes, ordinary electronic signatures (typed names, copied scans) are poor identifiers and authenticators. Nevertheless English law, in keeping with its historically liberal attitude to formalities requirements generally, rightly regards such signatures as adequate in most cases in which a signature is required by statute. Manuscript signatures are better, but not perfect, identifiers and authenticators. A properly formed manuscript signature is better than a mark, but both are valid.

9. At the other end of the scale of sophistication, certificate-based digital signatures are very good (far better than manuscript signatures) at authenticating the signed document.  However they remain relatively poor at assuring the identity of the person who applied the digital signature. This is because however sophisticated may be the signature technology, access to the signature creation device will (in the absence of a biometric link) be secured by a password, a PIN, or something similar. As the Consultation Paper rightly points out these are weak forms of assurance (Consultation Paper 6.60 to 6.68). This aspect can be improved by adopting methods such as two factor authentication of the user. It may or may not be apparent after the event whether such a technique was used.

Common traps in legislating for electronic transactions

Over-engineering and over-estimating the reliability of non-electronic systems

10. The Consultation Paper refers to the apparently stillborn attempt to legislate for electronic wills in Nevada. I am not familiar with the particular legislation in question, but will offer some general comments about the temptation for legislation to impose over-engineered technical solutions.

11. Over-engineering is a natural consequence of over-estimating the reliability of non-electronic systems and thus, in the name of equivalence, attempting to design in a level of assurance for the electronic system that does not exist in the non-electronic sphere.  As the Australian Electronic Commerce Expert Group stated in its 1998 Report to the Attorney-General[2]:

“There is always the temptation, in dealing with the law as it relates to unfamiliar and new technologies to set the standards required of a new technology higher than those which currently apply to paper and to overlook the weaknesses that we know to inhere in the familiar.”

12. Over-engineering occurred in the early days of digital signatures, when complex statutes were passed in some jurisdictions (the Utah Digital Signatures Act being the earliest and best known example) in effect prescribing the use of PKI digital signatures in an attempt to achieve a guarantee of non-repudiation far beyond that provided by manuscript signatures. These kinds of rules were found to be unnecessary for everyday purposes and have tended to be superseded by facilitative legislation such as the US ESign Act.

Over-technical formalities requirements

13. Over-technical formalities requirements are a potential source of concern. This is for two reasons. 

14. First, they increase the chance that a putative testator or a witness will make an error in trying to comply with them. As the Sixth Interim Report of the Law Revision Committee said in 1937 in relation to the Statute of Frauds:

" 'The Act', in the words of Lord Campbell . . . 'promotes more frauds than it prevents'. True it shuts out perjury; but it also and more frequently shuts out the truth. It strikes impartially at the perjurer and at the honest man who has omitted a precaution, sealing the lips of both. Mr Justice FitzJames Stephen ... went so far as to assert that 'in the vast majority of cases its operation is simply to enable a man to break a promise with impunity, because he did not write it down with sufficient formality.’ " 

15. Second, a person attempting to satisfy the formalities requirements must be able to understand how to comply with them without resort to expert technical assistance, and to be confident that they have in fact complied. A formalities specification that requires the assistance of an IT expert to understand it will deter people from using the procedure and increase the incidence of disputes for those who do so. Injustice will be caused if the courts are filled with disputes about whether the right kind of electronic signature has been used and where there is no real doubt about the identity of the testator and the authenticity of the will.

Over-technology-specific

16. As a general rule technology-neutral legislation is preferable to technology-specific legislation.

17. This is for two reasons. First, technology-specific legislation can be overtaken by technological developments, with the result either that it is uncertain whether a new technology complies with the requirements, or that the legislation may clearly exclude the new technology even though functionally it performs as well or better than the old technology. Second, technology-specific legislation tends to lock in particular technology vendors rather than opening the market to all whose offerings are able to provide the required functionality (cf Consultation paper 6.36 and 6.37).

18. Against that, however, is the concern that if legislation is drafted at a very high level of abstraction in order to accommodate possible future technologies, it carries the price of uncertainty as to whether any given technology does or does not comply with the formalities requirements. That is most undesirable, for the reasons set out above.

19. Reconciling these opposing considerations is no easy task. Indeed it may be impossible to achieve a wholly satisfactory resolution. Nevertheless the competing considerations should be recognised and addressed.

Validity versus evidence

20. Validity and evidence have to be considered separately. Validity is not a matter of evidential value. Whilst the overall purpose of a formality requirement may be to maximise evidential value and to deter fraud (cf Lim v Thompson), the formality requirement itself stands separate as a rule of validity. 

Commentary on Chapter 6 of Consultation Paper

21. In the light of the introductory discussion above I offer the following comments on some aspects of Chapter 6. I will start with Enabling Electronic Wills (6.33 to 6.43), since that contains some of the most fundamental discussion.

Enabling Electronic Wills (6.33 to 6.43)

6.34 ‘It is highly likely that their use will become commonplace in the future’.

22. Since ‘the future’ is an indeterminate period this is probably a reasonably safe prediction. However, with apologies to Victor Hugo, there is nothing as feeble as an idea whose time has yet to come.

23. Science fiction films from the 1950s and 1960s routinely showed video communicators – an idea that stubbornly refused to take off for another 50 years. Even now video tends to be used for the occasions when seeing the other person is an actual benefit rather than a hindrance – special family occasions, business conferencing, intimate private exchanges for example.

24. Electronic wills have something of that flavour: possible in principle, but why do it when paper has so many advantages: 

• (Reasonably) Permanent
• Cheap
• (Reasonably) secure
• (Reasonably) private
• Serious (ceremonial)
• (Relatively) simple to comply with

25. By contrast electronic wills, as technology currently stands, would be inherently:

• Impermanent
• Costly
• Insecure
• Less private
• Casual
• Complicated to comply with

26. We cannot exclude the possibility that the effort and expense required to overcome, or at least mitigate, these disadvantages may at the present time be out of proportion to the likely benefit. It is perhaps no surprise that stakeholders report little appetite for electronic wills. We should beware the temptation to force the premature take-up of electronic wills simply because of a perception that everything should be capable of being done electronically.    

27. Whilst predictions in this field are foolish, one way in which technology might enable electronic wills in the future is the development (perhaps from existing nascent e-paper technologies) of cheap durable single-use tablets on which an electronic document and accompanying testator and witness signature details could be permanently inscribed and viewed electronically.

28. This is not to say that legislation should not be re-framed now to facilitate the development of appropriate forms of electronic will. Ideally such legislation should capture the essential characteristics of the desired will-making formalities in a technology-neutral but understandable way, rather than prescribe or enable the prescription of detailed systems. In theory it would not even matter if currently there is no technology that can comply with those characteristics electronically.  Such legislation would allow for the possible future development of as yet unknown compliant technologies.

29. However as already discussed, achieving that aim while at the same time leaving a putative testator with no room for doubt about whether a particular technology does or does not satisfy the requirements of the law is not an easy task. It is also pertinent to consider how the presumption of due execution might apply in an electronic context. With paper the presumption arises from matters apparent on the face of the will (Consultation Paper, 5.11). The more technical and complex the formalities requirements for an electronic will, the less will it be possible for compliance with those formalities to be apparent on the face of the document.

6.34 ‘We have focused on electronic signatures’

30. As already indicated, to focus on electronic signatures to the exclusion of the other relevant formalities is, I would suggest, an invitation to error. In reality the Consultation Paper does, of necessity, refer to the other formalities. However it would be preferable explicitly to recognise the interdependence of the four categories of formality and to consider them as a coherent whole.

6.35 ‘First and most importantly, electronic signatures must be secure’

31. This, it seems to me, risks falling into the related traps of over-engineering and of over-estimating the reliability of non-electronic systems (see [10] above).

32. Nor am I sure that the paragraph adequately separates the three functions of a signature discussed above: assent to terms/intention to be bound, identification and authentication.

33. The statement that an electronic signature must provide “strong evidence that a testator meant formally to endorse the relevant document” elides all three functions. The next sentence “electronic signatures must reliably link a signed will to the person who is purported to have signed it” elides the second and third functions. We then have the statement “Handwritten signatures perform this function well”. It is unclear which function or functions are being referred to. Handwritten signatures do not perform each function equally well.

34. It is true that a (genuine) handwritten signature, buttressed by the surrounding formality of double witnessing, is strong evidence of intention to be bound.

35. A well-formed handwritten signature (a ‘distinctive mark’, in the words of the Consultation Paper) provides reasonably strong evidence of identity, assuming that comparison handwriting can be found (something not required by the Wills Act and so more in the nature of a working assumption - cf para 6.53 of the Consultation paper). A mark (which is permissible under the Wills Act) does not do so. The witnesses (if available) are also relevant to proof of identity.

36. Parenthetically, one wonders whether the evidential weight assumed to be provided by signatures may have changed over the period since the enactment of the Wills Act 1837. The use of marks may have been more widespread than today and forensic techniques must have been less advanced. Do we now attribute greater reassurance to the use of a handwritten signature than was originally the case?  At any event, given the wide degree of latitude allowed to the form of a handwritten signature the degree of assurance cannot be regarded as uniform across all handwritten signatures.

37. A handwritten signature is weak evidence of linkage to the document. The signature is present only on the page on which it appears. Proof of the integrity of the whole document (if required) would depend on factors that have nothing to do with the signature (e.g. analysis of the paper and typescript ink).

38. Manuscript signatures provide a degree of evidential value for some relevant facts, but they are by no means perfect. It is of course true that a typed signature is of less evidential value than most manuscript signatures. Conversely, as discussed above ([9]) even the most sophisticated electronic signature is only as secure as its weakest link: the password or PIN (or combinations of such), or other mechanisms, that the testator has used to protect the signature key.

39. Notwithstanding its common usage I would tend to avoid the use of the word ‘secure’ in relation to electronic signatures without making clear which function or functions of a signature are being referred to and what precisely is meant, in that context, by ‘secure’.

40. Eliding the related roles of signatures and other formalities is apt to cause unnecessary confusion and, I would suggest, risks unintentionally placing too much of the formalities burden on the electronic signature.

6.35 ‘We have worked on the basis that electronic signatures should be no less secure than handwritten signatures’

41. On the face of it this is unexceptional. However, on closer inspection it suffers in two respects.

42. The first, already mentioned, comes from considering the signature in isolation from other formalities. In principle an electronic signature could permissibly be less secure than a manuscript signature if other formalities were sufficiently strong to compensate. For instance (without necessarily recommending this) the view could be taken that a notarised typewritten electronic signature would be acceptable (if a satisfactory way of notarising electronic documents had been found). The electronic signature itself would be less secure than the manuscript signature, but the combination of formalities could be adequate. Use of a notary instead of witnesses would avoid the authorisation problem identified at Consultation Paper 6.84.

43. The second is that when we break down the functions of the signature, as above [6], then factor in the variations in ‘security’ provided by the range of permissible handwritten signatures, it is quite unclear what is meant by the level of ‘security’ of a handwritten signature.  The temptation (see [11] above) is to over-estimate the security of a handwritten signature when making a comparison of this kind.

6.35 ‘It is essential that a legal mechanism exists for determining which electronic signatures are sufficiently secure, and which are not.’

44. Security (whatever may be meant by that in context) is one aspect of an electronic signature. Given what I have said above about the respective merits of technology-neutral and technology-specific legislation, it is probably inevitable that if the electronic signature itself is to bear any of the formalities burden, there will have to be some definition of which kinds of signature qualify and which do not. This is, however, a potential minefield.  It is almost impossible to define different kinds of signatures at any level of generality in a way that enables a lay person to understand, or that enables an IT expert to say with certainty, what qualifies and what doesn’t. One only has to look at eiDAS and the Electronic Signatures Directive before it to appreciate that.  The ability to be certain that one has complied with the necessary formalities of making a will is surely a sine qua non.

45. At risk of over-repetition it is the whole bundle of formalities, not just the signature, that requires a clear set of legal rules for the electronic environment.

6.36 'There is a risk that narrowly specifying types of valid electronic will could be counterproductive.'

46. Agreed. However see comments above ([16] to [19]) regarding the difficulties of drawing a viable balance between technology-specific and technology-neutral. Also, it is possible (although I have not investigated the matter) that the problem with the existing attempts mentioned in the Consultation might have been over-engineering rather than technology-specificity. Although the two often go hand in hand and over-engineering is always technology-specific, the converse is not necessarily true. A requirement of paper is technology-specific, but not over-engineered.

6.38

47. If the principles of clear and understandable requirements for all relevant formalities are adhered to, it ought to follow that any technical method that complies with those formalities is permissible. If all that is being said here is that the requirements must not be so abstract as to create uncertainty as to what does and does not comply, that must be correct (see above [18]).

48. If perhaps this paragraph is recognising that formalities other than the signature itself are relevant, then I would endorse that (see above [3]). Even so this paragraph appears to treat the other formalities as something of an afterthought. This is in my view not a good approach. The better approach is to treat all the formalities as a coherent, interdependent whole.

49. If the last sentence is saying that the law should set out a clear set of formalities for electronic wills, that is one thing. If it is suggesting the establishment of some kind of regulatory body to oversee will-making, that is another matter. Similarly it is unclear what is intended by the reference in 6.39 to ‘regulating’ electronic wills.

6.39 and 6.40

50. See comments on 6.45 below.

6.41

51. Witnessing requirements are one of the related formalities discussed above ([3]). Again, however, I believe it is an error to view witnessing requirements as a secondary issue, to be considered consequentially upon the introduction of electronic signatures. The formalities should be approached as a coherent, interdependent whole.

6.42

52. This paragraph reinforces my view expressed in the previous paragraph.  Whilst it is correct that the suitability of any particular method of witnessing would depend on precisely how a will is to be electronically signed, it seems to me unhelpful to exclude altogether the possibility of dispensing with witnessing as traditionally understood.   

53. For instance, in the hypothetical notarisation example given above [42] (see also [67]) there would be no need for separate witnessing. For a certificated digital signature there might be an argument that the certification authority could substitute for some (but not necessarily all) of the functions of a witness (although the points raised by Stephen Mason and Nicholas Bohm in their submission dated 14 August 2017 regarding long term assurance are well made). 

Uncertainty in the current law

6.45 (Consultation Question 31)

54. I suggest the Law Commission should consider whether some limited kinds of electronic signature in conjunction with appropriately crafted form, medium and process formalities should be permissible under the Wills Act, coupled if appropriate with an enabling power for future extensions.

Electronic Signatures – methods and challenges (6.46 to 6.87)

55. I have read the submission of Stephen Mason and Nicholas Bohm dated 14 August 2017.  I will not repeat what they say about this section of the Consultation since I agree with much of it. In particular I support paragraphs 24 to 29, 31 to 33 and 36 of their submission.  In addition I have the following comments.

6.46 'methods such as passwords are considered to be signatures'

56. Like any other method a password can serve as a signature only if there is intent thereby to authenticate the document and assent to or be bound by its terms.  While it may be the case that a password can therefore serve as a signature (see e.g. Bassano v Toft [2014] EWHC 377 (QB), where clicking on an ‘I Accept’ button was held to be a signature), it would seem likely to be a minority of cases in which it would do so. Most passwords are not used as signatures. It would seem debatable whether a password or PIN used to access a signature device or method is itself used as a signature, particularly where further steps are required before the signature is applied to the document.

6.49 'we expect viable electronic signatures to have similar or better value'

57. See comments at [41] to [43] above.

6.52 ‘A high risk of fraud’

58. This might be better described as a high vulnerability to fraud.

6.52 et seq

59. See comments above regarding the three functions of a signature ([6] to [7]) and the need to consider the usefulness (or otherwise) of a handwritten signature separately in relation to each function ([33] to [35]).

6.55 'photocopied writing does not allow for full consideration of all the attributes of writing'

60. True, but if photocopied writing is all that is available (for instance if the original will has been lost) the will is not as such invalidated. It can in principle be admitted to probate on provision of appropriate evidence. If it is disputed an expert would presumably have to do his or her best with what is available.

6.57

61. The first sentence is indisputable. However the second sentence does not follow. Other formalities could be adopted to compensate for the ‘insecurity’ of an ordinary electronic signature.

6.58 and 6.59

62. The fact that marks are permissible and that wills executed in that way can be verified in a different way from forensic examination (by extrinsic evidence) are pointers to how things could be done, rather than an anomaly to be disregarded. Whilst concerns about deluging the Probate Service with extrinsic evidence are understandable, that risk could be mitigated by introducing more stringent surrounding formalities where an ordinary electronic signature is used. 

Electronic signatures and eIDAS

6.24

63. eIDAS, as an EU Regulation, has direct effect in the UK. The 2016 Regulations are in addition and also make consequential amendments to existing UK legislation.

6.26

64. Article 2(3) would enable requirements of form to be applied. However it is not clear to me that eIDAS is limited to the commercial and transactional context. Electronic identification schemes (Consultation Paper, fn 20) are unrelated to electronic signatures.

6.28

65. See Mason and Bohm submission at paras 24 to 26 as to the apparent technical misunderstanding regarding the need for a counterparty.

6.30

66. Whatever is done must nevertheless comply with eIDAS (although this may be overtaken by Brexit).

Some illustrative scenarios for possible consideration

These scenarios are put forward to illustrate how consideration of the four kinds of formality as a coherent whole could lead to different approaches from focusing on electronic signatures as the primary concern. They do not pretend to be fully worked out proposals.

Ordinary electronic signature plus notarisation

Signature	Form	Medium	Process
Any electronic signature is permissible	Signature plus notarisation (no witness required)	Durable medium?	E-notarisation (if available)

67. The advantage of such a process would be that the security, seriousness and ceremonial aspect provided by witnessing would be retained, while not placing on the testator the burden of understanding or implementing secure digital signature systems. That burden would fall on the notary, who as a professional provider of notary services would be well placed to make the necessary investment of time and money in training and in acquiring suitable equipment.

68. The disadvantage compared with the traditional witnessing process is the need to find a professional notary, who would charge a fee for the notarisation. However, in the context of enabling a new process as an optional alternative to the traditional one, that may be acceptable.  

69. I am not aware of whether UK notaries yet offer full e-notarisation services as is done in at least some states in the USA (see Mason and Bohm submission para 52). It may be that legislation would be required to enable that. However since the essence of notarisation is that the notary makes checks on identity in relation to formal document signing, this would seem to be an option worth exploring.

Electronic in-presence signature and witnessing

Signature	Form	Medium	Process
Qualified electronic signature? (testator and witnesses)	As present	Durable medium?	As present. Witnesses would observe testator applying signature to document on screen, then do the same.

70. This method would avoid the need to find and pay a professional notary but is more challenging for the testator and witnesses, each of whom would have to equip themselves with a signature device capable of applying (say) a qualified electronic signature.

71. The eIDAS regime ought in principle to assure that the device does apply a conformant signature, assuming that the relevant providers are on an EU trusted providers register.  However in practice this may not be something that a lay person can be completely confident about. There may also remain challenges as to how to establish, perhaps many years later, that the signature was indeed a QES and as to how the document and any associated record of the method used to sign it should be stored (cf Mason and Bohm submission). The effects of Brexit on reliance on the eIDAS regime would also have to be considered.

---

[1] See further my article Can I use an electronic signature? DigitalBusiness.law, 12 May 2017 (http://digitalbusiness.law/2017/05/can-i-use-an-electronic-signature/).

[2] Electronic Commerce: Building the Legal Framework, March 31, 1998.

For further background see my article ‘Legislating for Electronic Transactions’ (Computer and Telecommunications Law Review, 2007 C.T.L.R. 41).

Future-proofing the Investigatory Powers Bill

[Based on a presentation to BILETA 2016 on 11 April 2016]

If we know one thing about the Investigatory Powers Bill, it must be future-proof. Legislation should, self-evidently, stand the test of time in the face of rapid technological change and not become out of date overnight.

However the task is not a simple matter of spraying a coat of future-proof paint on to the Bill. Future-proofing can give rise to serious difficulties when the legislation furnishes the state with intrusive powers over its citizens. An attempt to future-proof blighted the current Regulation of Investigatory Powers Act (RIPA). The signs are that some of the mistakes of RIPA are about to be repeated in the Investigatory Powers Bill.

How should we set about future-proofing legislation? In the communications surveillance field two techniques have been tried.

One is a broad, flexible, order-making power. The statute would empower the Secretary of State to make and revise regulations from time to time, subject to less Parliamentary scrutiny than for primary legislation. However when considering the primary legislation Parliament has only the mistiest outline of what it is being asked to approve. The features of the landscape do not appear until it is too late.

That was the approach adopted in the draft Communications Data Bill (CDB), which in 2012 was stopped in its tracks by a Joint Parliamentary Committee. Clause 1 of the draft Bill was a general order-making power that could be used to mandate collection, generation and retention of communications data. Home Office official Charles Farr said in evidence to the Committee:

"Future-proofing and flexibility are at the heart of the language we have used in clause 1."

The Committee noted the "wide anxiety raised by the breadth of clause 1". It concluded:

"We do not think that Parliament should grant powers that are required only on the precautionary principle. There should be a current and pressing need for them."

Remnants of the CDB approach survive in parts of the Investigatory Powers Bill. 

The power to serve technical capability notices on telecommunications operators sets out a list of obligations that can be imposed, including the obligation to remove electronic protection applied by or on behalf of the operator. Although the list is fairly specific, the power itself is open-ended. The obligations that may be specified in regulations merely "include, among other things" the items in the list.

The direct descendant of Clause 1 of the CDB is Clause 78 of the IP Bill. Clause 78, unlike the CDB, sets out a list of ‘Relevant Communications Data” that can be the subject of data retention notices issued by the Secretary of State. The items on the list are still described in quite general terms, including for instance “data which may be used to identify, or assist in identifying, … the type, method or pattern, or fact, of communication”.

Clause 78 also retains a strong bias towards the ‘precautionary principle’ deprecated by the 2012 Joint Committee. At present notices under DRIPA can require retention of a few specific types of data in respect of limited categories of communication such as internet e-mail, SMS messages and internet telephony. The Counter Terrorism and Security Act 2015 added IP address resolution data. The financial projections in the Home Office’s IP Bill Impact Assessment allow only for the addition of so-called internet connection records. Yet Clause 78 is much broader than that, encompassing for instance the machine to machine communications that will underpin the internet of things. There has been no attempt to explain or justify this broad scope.

Another method of future-proofing is technological neutrality. This approach contrasts with technology-specific legislation. The objective is to draft at a sufficiently abstract level to allow for future changes in technology.

IT and technology lawyers have been brought up to think of technologically neutral legislation as a Good Thing. Professor Chris Reed observed in 2007 that technological neutrality had become part of the general wisdom: 'motherhood and apple pie'. And so it was, when we were trying to avoid problems such as statutory writing requirements that assumed paper. However technological neutrality runs into trouble when applied to intrusive state powers.

The first problem is that abstract drafting has a tendency to be unintelligible. The obvious example is RIPA. Sir David Omand, the Permanent Secretary in the Home Office at the time RIPA was prepared, told the Commons Home Affairs Select Committee in February 2014:

“The instructions to parliamentary draftsmen were to make it technology-neutral, because everyone could see that the technology was moving very fast. Parliamentary draftsmen did an excellent job in doing that, but as a result I do not think the ordinary person or Member of Parliament would be able to follow the Act without a lawyer to explain how these different sections interact.”

RIPA is notoriously impenetrable, even to lawyers. It has been criticised almost from birth:

"We have found RIPA to be a particularly puzzling statute" (R v W, Court of Appeal, 2003)

"longer and even more perplexing" than the "short but difficult" Interception of Communications Act 1985. (Lord Bingham, A-G’s Ref (No 5 of 2002), 2004) 

"this impenetrable statute … one of the most complex and unsatisfactory statutes currently in force." Professor David Ormerod (2005) 

"a complex and difficult piece of legislation" Mummery LJ (then President of the Investigatory Powers Tribunal, 2006) 

"RIPA 2000 is a difficult statute to understand" (Sir Anthony May, IOCC Report for 2013) 

"RIPA, obscure since its inception, has been patched up so many times as to make it incomprehensible to all but a tiny band of initiates" (David Anderson Q.C., A Question of Trust, 2015.)

Unintelligibility is a direct consequence of the attempt to future-proof by technologically neutral, abstract drafting.

Intelligibility is not just a lawyer's nice to have. Where intrusive powers are concerned it is a rule of law principle that the public should be able to know with reasonable certainty the kind of circumstances in which the powers may be used against them. Unintelligible legislation fails that test. A Question of Trust said:

“The desire for legislative clarity is more than just tidy-mindedness. Obscure laws –and there are few more impenetrable than RIPA and its satellites – corrode democracy itself, because neither the public to whom they apply, nor even the legislators who debate and amend them, fully understand what they mean.”

A Question of Trust challenged the government to produce legislation that is both comprehensive and comprehensible.

A second problem with applying technological neutrality to intrusive powers arises from the fact that where the technology goes, so the powers automatically follow.

This of course is what the technique is intended to achieve. As people use technology in ways that were unknown at the time of the legislation, the powers will apply to the new behaviour. However the result is that the balance between privacy and intrusion that Parliament contemplated at the time it passed the legislation is liable to shift due to mere accidents of technology.

Again, RIPA is a prime example. Mobile phones existed in 2000, as did the internet. But they were not yet combined. When they merged on the smartphone all kinds of human activity that were previously untouched by RIPA suddenly fell into its scope.

It will be said that that is how it should be: conspirators who used to communicate by telephone and now use over-the-top messaging should be subject to equivalent powers. That may be so. But entirely personal behaviour that does not involve any kind of messaging between two or more human beings has also been swept up. We never used to read books or newspapers over the telephone. Now we read websites remotely. RIPA counts this activity, equivalent to sitting at home reading a book, as a communication - as if it were the same as e-mailing or text messaging a contact.

The mobile internet was not contemplated by the legislators in 2000. The result of this accident of technology is a major shift in the privacy/intrusion balance, without Parliament ever having had the opportunity to consider it. Now that Parliament is considering it, it is doing so against the background of a sense of entitlement to the bounty of data that adventitiously fell into the laps of intelligence agencies and law enforcement bodies.

What should we do? The key is to ask what we should be seeking to future-proof: the powers themselves or the privacy/intrusion balance settled upon by Parliament when it enacts legislation of this kind. My own view is that we should learn the lesson of RIPA and seek to future-proof the privacy/intrusion balance, not the powers.

That would require a fundamentally different approach: concrete, technology-specific drafting, sunsetting of powers, frequent review by Parliament and continued openness by the government about how the powers have been used. The latter is critical if Parliament is to engage in an informed debate when powers come back for renewal.

Regrettably, the IP Bill has gone down a similar track to RIPA. It has tried to future proof the powers and, as with RIPA, the predictable result is unintelligibility. The House of Commons Science and Technology Committee said in its report on the draft Bill:

“The Home Secretary told us subsequently that the definitions for ‘communication data’ and ICRs were intended to be “technology neutral and flexible in order that, should user behaviour and technology change, they will still apply”. The definitions were to be applied “to the full range of powers and obligations under the draft Bill” which had subsumed provisions from several current statutes. As a result, “the definitions as they are formulated are necessarily abstract”.” (emphasis added)

The Committee concluded:

“The government, in seeking to future-proof the proposed legislation, has produced definitions of internet connection records and other terms which have led to significant confusion on the part of communications service providers and others.”

The "others" include the general public, whose communications form the subject of the Bill and who should, as a matter of the rule of law, be able to understand the scope of the powers.

The government, responding to a recommendation by the Joint Committee, has included provision for review of the Bill after five and a half years. However that is insufficient without addressing the problems of over-abstract drafting. Nor is hiving off detail to Codes of Practice a good approach. It is not the function of Codes of Practice to compensate for obscure legislation. 

Further reading on technology neutrality

Alberto Escudero Pascual and Ian Hosein, The hazards of technology-neutral policy: questioning lawful access to traffic data, by (Communications of the Association for Computer Machinery (CACM) Journal Published 29 Feb 2004)

Chris Reed, Taking Sides on Technology Neutrality, (2007) 4:3 SCRIPTed 263

Graham Smith, Are Techlaw principles in the Ascendency? Intellectual Property Forum: journal of the Intellectual and Industrial Property Society of Australia and New Zealand, Issue 96 (Mar 2014)

[Amended 15 April 2016 to make specific reference to mobile internet.]