Engagement of foreign experts to produce a digital signature bill which is the worst in the world is a gross waste of taxpayers’ money

Speech - Digital Signature Bill 199
by Lim Kit Siang

(Dewan Rakyat, Monday): I propose amending Section 2(1) on the interpretation clause by adding the following interpretation after the definition for "rightfully hold a private key":

During the winding-up just now, the Deputy Minister for Energy, Telecommunications and Posts, Datuk Chan Kong Choy said that apart from the Attorney-General’s Chambers and officials from his Ministry, the government had invited foreign experts to give their contributions when drafting the Digital Signature Bill.

If this is true, then this is a gross waste of taxpayers’ money to engage foreign experts to produce a digital signature bill which is the worst in the world.

How many foreign experts had come to Malaysia to advise on the digital signature legislation, what were their role and how much were spent on them. I had studied the Digital Signature Bill in detail, more detailed than the Deputy Minister as I can discuss in detail both the Bill and the Utah Digital Signature Act.

Can we know one contribution which the foreign experts had made to the Bill which is not in the Utah Digital Signature Act? Just name only one is enough. Can we justify the hundreds of thousands of ringgit spent on the foreign experts by just naming one contribution they have made!

Anyone who makes a study of the Bill will find that all the provisions are copied from the Utah Digital Signature Act. Were there no officers in the Attorney-General’s Chambers who can read and understand the Utah Digital Signature Act that we have to engage foreign consultants to read and understand the American legislation for us?

This is most shameful and brings dishonour to the people of Malaysia. There is not a single section in this Bill which is new - in fact, there is not a single item in the Bill which is better than the Utah Act.

This is why I say that the Digital Signature Act we are enacting is Utah II but Utah II is worse than Utah I. Why?

More than two years have passed since the first enactment of the Utah Act. We should be able to make Utah II better than Utah I. Why are we enacting a Utah II which is worse than Utah I?

The Utah Digital Signature Act is being criticised in the United States for not giving adequate consumer protection, but the r Bill has removed even those clauses in the Utah legislation which are already being criticised as not giving adequate protection to the consumers!

The amendment on a "suitable guaranty" is one such example, which is in the Utah Digital Signature Act but removed in the Bill. What is the reason for dropping this provision?

The purpose of a "suitable guaranty" is to give protection to consumers by requiring certification authorities (CAs) to act responsibly and take out a bond so that subscribers and consumers would not get paper judgements but can recover actual damages when they win legal suits against CAs.

Why remove such a safeguard to protect the interests of subscribers and consumers? We should give better protection to consumers in our country than is to be found in America, as we aim to be among the world-ranking nations. It is most regrettable that this ambition to be a world-class nation has not been extended to the area of consumer protection.

The "suitable guaranty" provision is important to protect consumer interests, especially as there is a provision in the bill on maximum reliance limit "capping" the liability of CAs. The surety guarantee will ensure that CAs have the financial resources to meet their "maximum reliance limit".

I will give another example as to why we have failed to take advantage of Utah I and the developments of digital signatures in other parts of the world in the past three years to make our Utah II the best digital signature law in the world.

The Deputy Minister said just now that Section 2(1) provides that asymmetric cryptosystem is the basis for our digital signature regime and that if there are technological changes in the future, we can amend the law accordingly. We can of course amend the law in one or two years’ time, but this should not be an excuse for shoddy legislation or for not having the best digital signature law in the world.

When the Utah Digital Signature Act was passed in 1995, asymmetrical cryptography was the technology of the time, but now, there is a different trend in the latest digital signature legislation. For example, the digital signature law just enacted in California in April is not tied to asymmetrical cryptography as a digital signature law should not be technology-specific but be technology-neutral so that whatever technology which is best can be adopted.

The reason for not tying digital signature legislation to a technology-specific system like asymmetrical cryptography is that by precluding other technologies, future innovations would be discouraged. Proponents of biometric authentication methods, for instance, argue that it is foolish to legislatively enshrine public key cryptography as the only technology capable of authenticating an electronic document as biometric methods can currently accomplish many of the same goals as digital signatures.

This is why the California Digital Signature law is not technology-specific but technology-neutral, providing that for a digital signature to be valid for use by a public utility, it must be created by a technology that is accepted for use by the State of California, including public key cryptography. What is significant is that public key cryptography is an acceptable technology for digital signatures in California, but in Malaysia, we are providing that only public key cryptography is permissible because our law is technology-specific. We are supposed to be at the cutting-edge of the latest technology, making use of the best and the most modern, and not follow models which are already overtaken by events. This is what foreign experts are for, but the world is moving forward while we are going backwards as far as digital signature legislation is concerned.

This is why there should have been the fullest public discussion and consultation in the process of formulating the digital signature law. Information technology is so new that no one can call himself an authority. If we invite public discussion and consultation involving those who are versed, experienced and knowledgeable in different aspects of IT, we would be able to pool our collective expertise and experience. How can we expect to catapult into the Information Technology era if we continue to have a "closed" mind and outlook? There must be a new mindset if we are serious in wanting Malaysia to make the quantum leap into the age of IT.

I next propose an amendment to section 3(4) of the Bill, which reads: "The Controller and all officers and servants appointed by the Controller under subsection (3) shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by the Minister". My amendment is to delete the words: "subject to such directions as to general policy and orders as may be given or made by the Minister".

The powers and duties of creating a digital signature system and the monitoring and overseeing of certification authorities should be the sole responsibility of the Controller of Certification Authorities and it is inappropriate to involve the Minister either in the nitty-gritty or even in general policy direction of a digital signature system as the Bill has already decided on a technology-specific approach involving asymmetrical cryptography.

Let us be prepared to do things in a new way and not to keep to old habits of involving the Minister in the creation and monitorng of the digital signature system. Let the Controller be given full powers and authority to carry out his duties as laid down by the Digital Signature Act.

My third amendment to the Bill is to delete Sections 4(3) and 4(5) of the Bill. Section 4(3) of the Bill reads:

Section 4(5) of the Bill reads:

Why do we need this sub-section 4(3) to give to the Minister the power to exempt any CA from the provisions of this section? All persons should be required to comply with the same qualification conditions to become a CA. Giving the Minister such exemption powers are unhealthy and likely to lead to abuse of power. Can the Deputy Minister explain why such Ministerial exemption powers are necesaary?

My fourth amendment is to substitute the words "The Minister" with "The Controller" in Section 5(1) and (2) of the Bill, which empowers the Minister to prescribe the qualification requirements for certificiation authorities by regulations made under the Act or to vary or amend them.

Why should administrative matters in enforcing the Digital Signature Act require Ministerial interference? In the era of IT, we should minimise Ministerial interference. IT should mean empowerment to the Controller and not the concentration of powers in the hands of the Minister in a matter which is not necessary at all.

In the Utah Digital Signature Act, there is no provision for the Secretary of Commerce of Utah (the counterpart to the Minister here) to decide on regulations as this is left to the Division of Corporations and Commerce Code within the Department of Commerce, Utah (the counterpart to the Controller under the Bill) to make and prescribe all the necessary rules and regulations.

Why must the Minister have a hand in everything in Malaysia, where the Minister can sit on everybody, even on matters which should come within the province of the Minister - as in administering the digital signature system?

I next propose the insertion of a new Section 5(3) which reads:

This is self-explanatory, which is to prescribe rules governing a "suitable guaranty" to protect the interests of consumers in cases involving CA liabilities.

My eighth amendment is to propose the insertion of new Section 20(2A), as follows:

This is another instance where, although we use the Utah Act as our model, we do not follow what is good for the consumers in order to ensure that CAs operate with full responsibility as the losses that can be caused by their negligence and irresponsibility could be vast - and many times more serious than scandals like the co-operative finance scandal some ten years ago.

This provision, which is to be found in the Utah Act, is dropped from the Bill. We may be told that this provision would be put into the regulations that would be drated for the implementation of the Digital Signature Act. Such an important provision should be incorporated in the parent act rather than saying that it would be put in the regulations when this matter is raised. This would only send a wrong signal that the government is not serious in monitoring the activities of CAs.

The setting out of the various criteria which must be complied in the performance audits of CAs is important as there are many cases where auditors do not comply with legal or professional requirements when auditing companies.

The omission of this provision from the Bill is another example where Utah II is worse than Utah I.

My next amendment is to insert a new Section 26A as follows:

This is also a provision from the Utah Digital Signature Act but removed in this Bill. I cannot accept the explanation that these provisions would be put in the regulations as satisfactory. Do we have to engage foreign experts just to advise that certain provisions in the Utah Digital Signature Act be transferred from the parent Act to the regulations?

I reiterate that I am confident that the Deputy Minister cannot give a single instance which is the result of the contribution of the foreign experts and which had nothing to do with the Utah Digital Signature Act.

What we have done is to copy word for word what is in the Utah Digital Signature Act apart from removing sections aimed to protecting the interests of the consumers.

Have we been misled and even cheated by the foreign experts, who were supposed to advise us on drafting our digital signature law? I am still waiting for the Deputy Minister to answer how many, the identity, the costs of these foreign experts and what good they have done!

What is our own input in the drafting of the Digital Signature Bill? If the Bill before the House is all that we want, it is very easy and needs only one or two days just to copy from the Utah legislation. We have given no new inputs whatsoever. To be fair, we do have one new input - which is to render the Bill into Bahasa Malaysia - and it took us some two years to do this. And we still need foreign experts! Is this the way Malaysia is entering the IT era? A quantum leap with no inputs?

I feel very ashamed as a Malaysian that we cannot have the best digital signature law in the world by benefitting from the experiences of other nations. There is nothing wrong in following the good examples of others but we must have our own inputs.

Unfortunately, there seems to be a general absence of the feeling of shame. It was reported today that at the National Congress on Vision 2020, the Prime Minister, Datuk Seri Dr. Mahathir Mohamad stressed the need for a strong sense of shame in our society or our people and nation could be destroyed.

My last amendment is to insert a new Section 61(A) as follows:

This is another provision in the Utah Digital Signature Bill but which has been dropped in the Bill without good reason. In fact, if we look at the various provisions which have been removed from the Bill, e.g. suitable guaranty, merit audit performance certificate, hazardous activity, collection based on suitable guaranty, they all concern safeguards to firstly, ensure that CAs operate with responsiblity to avoid any CA scandal and secondly, to protect the interests of consumers.

The message the drafters and the Ministry of Energy, Telecommunications and Posts is sending with the removal of these sections in the Bill is not good at all - reinforcing the picture that the government is not concerned about the interests of consumers but only interested in impressing international IT/multimedia companies.

This is a bad start for the introduction of the first batch of cyberlaws in Malaysia and I hope we do not make the same mistake for future cyberlaws. Our first concern and priority must be the interests of Malaysians and not that of foreign companies.

We will be following closely the regulations that would be made under this Act to ensure that the promises given by the Deputy Minister that my various amendments would be written into the regulations.

Malaysia has lost a great opportunity to have the best digital signature law in the world, as we have ended up with the worst digital signature law. The Ministry of Energy, Telecommunications and Posts should set up a task force to study in depth the defects and weaknesses of the Utah legislation and now our own digital signature law, so that an amendment Bill could be introduced in the July meeting of Parliament to overcome these defects and weaknesses, including the various issues I had raised such as risks and liability allocation.

In actual fact, which Minister would be responsible for the Digital Signature Act. If we follow the Utah example, the official responsible is the Secretary of State for Commerce (whose counterpart should be the Minister for Domestic Trade and Consumer Affairs), as this is a subject which is more concerned about electronic commerce rather than telecommunications.

I do not know whether the Digital Signature Act would come under the jurisdiction of the Minister for Telecommunications, for although the Telecommunications Minister introduced the Computer Crimes Bill in the House, it will be the Home Minister who ill have jurisdiction over computer crimes rather than the Telecommunications Minister.

If the Digital Signature Act comes under electronic commerce, then it should more properly be introduced in this House by the Minister for Domestic Trade and Consumer Affairs - except that there is now no Minister for this portforlio as the incumbent had to resign to assume the post of Selangor Mentri Besar when it is discovered that there is not a single Selangor UMNO Exco or Assembly member who is "clean and capable" enough to become head of government in the state.


*Lim Kit Siang - Malaysian Parliamentary Opposition Leader, Democratic Action Party Secretary-General & Member of Parliament for Tanjong