(Dewan Rakyat, Monday): I propose amending Section 2(1) on the interpretation clause by adding the following interpretation after the definition for "rightfully hold a private key":
""Suitable guaranty" means either a surety bond executed by a surety firm authorized to do business or an irrevocable letter of credit issued by a financial institution authorized to do business which satisfies all of the following requirements:
(i) it is issued for the benefit of claimants under this Act and is conditioned upon the certification authority conducting business as required by this Act;
(ii) it is in an amount equal to or exceeding the greater of either:
(A) 100% of the largest recommended reliance limit of a certificate to be issued or published by the filing certification authority during the term of the certification authority's license; or
(B) at least 35% of the recommended reliance limits of all certificates published by the filing certification authority which have not expired or been revoked;
(iii) it states that it is issued for filing pursuant to this Act;
(iv) it specifies a term of effectiveness extending at least as long as the term of the license to be issued to the certification authority; and (v) it is in a form approved by the Controller."
During the winding-up just now, the Deputy Minister for Energy, Telecommunications and Posts, Datuk Chan Kong Choy said that apart from the Attorney-General’s Chambers and officials from his Ministry, the government had invited foreign experts to give their contributions when drafting the Digital Signature Bill.
If this is true, then this is a gross waste of taxpayers’ money to engage foreign experts to produce a digital signature bill which is the worst in the world.
How many foreign experts had come to Malaysia to advise on the digital signature legislation, what were their role and how much were spent on them. I had studied the Digital Signature Bill in detail, more detailed than the Deputy Minister as I can discuss in detail both the Bill and the Utah Digital Signature Act.
Can we know one contribution which the foreign experts had made to the Bill which is not in the Utah Digital Signature Act? Just name only one is enough. Can we justify the hundreds of thousands of ringgit spent on the foreign experts by just naming one contribution they have made!
Anyone who makes a study of the Bill will find that all the provisions are copied from the Utah Digital Signature Act. Were there no officers in the Attorney-General’s Chambers who can read and understand the Utah Digital Signature Act that we have to engage foreign consultants to read and understand the American legislation for us?
This is most shameful and brings dishonour to the people of Malaysia. There is not a single section in this Bill which is new - in fact, there is not a single item in the Bill which is better than the Utah Act.
This is why I say that the Digital Signature Act we are enacting is Utah II but Utah II is worse than Utah I. Why?
More than two years have passed since the first enactment of the Utah Act. We should be able to make Utah II better than Utah I. Why are we enacting a Utah II which is worse than Utah I?
The Utah Digital Signature Act is being criticised in the United States for not giving adequate consumer protection, but the r Bill has removed even those clauses in the Utah legislation which are already being criticised as not giving adequate protection to the consumers!
The amendment on a "suitable guaranty" is one such example, which is in the Utah Digital Signature Act but removed in the Bill. What is the reason for dropping this provision?
The purpose of a "suitable guaranty" is to give protection to consumers by requiring certification authorities (CAs) to act responsibly and take out a bond so that subscribers and consumers would not get paper judgements but can recover actual damages when they win legal suits against CAs.
Why remove such a safeguard to protect the interests of subscribers and consumers? We should give better protection to consumers in our country than is to be found in America, as we aim to be among the world-ranking nations. It is most regrettable that this ambition to be a world-class nation has not been extended to the area of consumer protection.
The "suitable guaranty" provision is important to protect consumer interests, especially as there is a provision in the bill on maximum reliance limit "capping" the liability of CAs. The surety guarantee will ensure that CAs have the financial resources to meet their "maximum reliance limit".
I will give another example as to why we have failed to take advantage of Utah I and the developments of digital signatures in other parts of the world in the past three years to make our Utah II the best digital signature law in the world.
The Deputy Minister said just now that Section 2(1) provides that asymmetric cryptosystem is the basis for our digital signature regime and that if there are technological changes in the future, we can amend the law accordingly. We can of course amend the law in one or two years’ time, but this should not be an excuse for shoddy legislation or for not having the best digital signature law in the world.
When the Utah Digital Signature Act was passed in 1995, asymmetrical cryptography was the technology of the time, but now, there is a different trend in the latest digital signature legislation. For example, the digital signature law just enacted in California in April is not tied to asymmetrical cryptography as a digital signature law should not be technology-specific but be technology-neutral so that whatever technology which is best can be adopted.
The reason for not tying digital signature legislation to a technology-specific system like asymmetrical cryptography is that by precluding other technologies, future innovations would be discouraged. Proponents of biometric authentication methods, for instance, argue that it is foolish to legislatively enshrine public key cryptography as the only technology capable of authenticating an electronic document as biometric methods can currently accomplish many of the same goals as digital signatures.
This is why the California Digital Signature law is not technology-specific but technology-neutral, providing that for a digital signature to be valid for use by a public utility, it must be created by a technology that is accepted for use by the State of California, including public key cryptography. What is significant is that public key cryptography is an acceptable technology for digital signatures in California, but in Malaysia, we are providing that only public key cryptography is permissible because our law is technology-specific. We are supposed to be at the cutting-edge of the latest technology, making use of the best and the most modern, and not follow models which are already overtaken by events. This is what foreign experts are for, but the world is moving forward while we are going backwards as far as digital signature legislation is concerned.
This is why there should have been the fullest public discussion and consultation in the process of formulating the digital signature law. Information technology is so new that no one can call himself an authority. If we invite public discussion and consultation involving those who are versed, experienced and knowledgeable in different aspects of IT, we would be able to pool our collective expertise and experience. How can we expect to catapult into the Information Technology era if we continue to have a "closed" mind and outlook? There must be a new mindset if we are serious in wanting Malaysia to make the quantum leap into the age of IT.
[Deputy Minister replied that this provision of "suitable guaranty" would be included in the regulations which would be made by the Minister under Section 91(B) of the Act.]
I next propose an amendment to section 3(4) of the Bill, which reads: "The Controller and all officers and servants appointed by the Controller under subsection (3) shall exercise their powers under this Act subject to such directions as to general policy and orders as may be given or made by the Minister". My amendment is to delete the words: "subject to such directions as to general policy and orders as may be given or made by the Minister".
The powers and duties of creating a digital signature system and the monitoring and overseeing of certification authorities should be the sole responsibility of the Controller of Certification Authorities and it is inappropriate to involve the Minister either in the nitty-gritty or even in general policy direction of a digital signature system as the Bill has already decided on a technology-specific approach involving asymmetrical cryptography.
Let us be prepared to do things in a new way and not to keep to old habits of involving the Minister in the creation and monitorng of the digital signature system. Let the Controller be given full powers and authority to carry out his duties as laid down by the Digital Signature Act.
My third amendment to the Bill is to delete Sections 4(3) and 4(5) of the Bill. Section 4(3) of the Bill reads:
"4(3) The Minister may, on the application in writing being made in accordance with this Act, exempt
(a) a person operating as a certification authority within an organisation where certificates and key pairs are issued to members of the organisation for internal use only; and (b) such other person or class of persons as the Minister considers fit,
from the requirements of this section."
Section 4(5) of the Bill reads:
"A delegation under subsection (4) shall not preclude the Minister himself from exercising at any time the powers so delegated."
Why do we need this sub-section 4(3) to give to the Minister the power to exempt any CA from the provisions of this section? All persons should be required to comply with the same qualification conditions to become a CA. Giving the Minister such exemption powers are unhealthy and likely to lead to abuse of power. Can the Deputy Minister explain why such Ministerial exemption powers are necesaary?
My fourth amendment is to substitute the words "The Minister" with "The Controller" in Section 5(1) and (2) of the Bill, which empowers the Minister to prescribe the qualification requirements for certificiation authorities by regulations made under the Act or to vary or amend them.
Why should administrative matters in enforcing the Digital Signature Act require Ministerial interference? In the era of IT, we should minimise Ministerial interference. IT should mean empowerment to the Controller and not the concentration of powers in the hands of the Minister in a matter which is not necessary at all.
In the Utah Digital Signature Act, there is no provision for the Secretary of Commerce of Utah (the counterpart to the Minister here) to decide on regulations as this is left to the Division of Corporations and Commerce Code within the Department of Commerce, Utah (the counterpart to the Controller under the Bill) to make and prescribe all the necessary rules and regulations.
Why must the Minister have a hand in everything in Malaysia, where the Minister can sit on everybody, even on matters which should come within the province of the Minister - as in administering the digital signature system?
I next propose the insertion of a new Section 5(3) which reads:
"5. (3) The Controller shall make rules determining an amount appropriate for a suitable guaranty, in light of:
(i) the burden a suitable guaranty places upon licensed certification authorities; and (ii) the assurance of financial responsibility it provides to persons who rely on certificates issued by licensed certification authorities."
This is self-explanatory, which is to prescribe rules governing a "suitable guaranty" to protect the interests of consumers in cases involving CA liabilities.
My eighth amendment is to propose the insertion of new Section 20(2A), as follows:
"20(2A) (a) Based on information gathered in the audit, the auditor shall categorize the licensed certification authority's compliance as one of the following:
(i) full compliance: the certification authority appears to conform to all applicable statutory and regulatory requirements; (ii) substantial compliance: the certification authority generally appears to comply with all applicable statutory and regulatory requirements; however, some instances of noncompliance or inability to demonstrate compliance were found in the audited sample which were likely to be inconsequential; (iii) partial compliance: the certification authority appears to comply with some statutory and regulatory requirements, but was found not to have complied or not able to demonstrate compliance with one or more statutory or regulatory requirements; (iv) noncompliance: the certification authority complies with few or none of the statutory and regulatory requirements, or fails to keep adequate records to demonstrate compliance with more than a few requirements, or refused to submit to an audit."
This is another instance where, although we use the Utah Act as our model, we do not follow what is good for the consumers in order to ensure that CAs operate with full responsibility as the losses that can be caused by their negligence and irresponsibility could be vast - and many times more serious than scandals like the co-operative finance scandal some ten years ago.
This provision, which is to be found in the Utah Act, is dropped from the Bill. We may be told that this provision would be put into the regulations that would be drated for the implementation of the Digital Signature Act. Such an important provision should be incorporated in the parent act rather than saying that it would be put in the regulations when this matter is raised. This would only send a wrong signal that the government is not serious in monitoring the activities of CAs.
The setting out of the various criteria which must be complied in the performance audits of CAs is important as there are many cases where auditors do not comply with legal or professional requirements when auditing companies.
The omission of this provision from the Bill is another example where Utah II is worse than Utah I.
[The Deputy Minister replied that this provision would be included in the regulations.]
My next amendment is to insert a new Section 26A as follows:
"26A. Hazardous activities by any certification authority prohibited.
(1) A certification authority, whether licensed or not, may not conduct its business in a manner that creates a commercially unreasonable risk of loss to:
(a) subscribers of the certification authority;
(b) persons relying on certificates issued by certification authority; or
(c) any repository recognized under this Act.
(a) The Controller may publish in the repository it provides or elsewhere statements advising subscribers, persons relying on digital signatures, or public repositories about activities of a certification authority, whether licensed or not, that create a risk prohibited by Subsection (1).
(b) The certification authority named in a statement as creating or causing a risk may protest the publication of the statement.
(c) Upon receipt of a protest, the Controller shall:
(i) include with its statement a comment that a protest has been received; and
(ii) promptly give the protesting certification authority notice and an opportunity to be heard.
(d) Following the hearing, the Controller shall:
(i) rescind the advisory statement if its publication was unwarranted;
(ii) cancel it if its publication is no longer warranted;
(iii) continue or amend it if it remains warranted; or
(iv) take further legal action to eliminate or reduce a risk prohibited by Subsection (1).
(e) The Controller shall publish its decision in the repository it provides."
This is also a provision from the Utah Digital Signature Act but removed in this Bill. I cannot accept the explanation that these provisions would be put in the regulations as satisfactory. Do we have to engage foreign experts just to advise that certain provisions in the Utah Digital Signature Act be transferred from the parent Act to the regulations?
I reiterate that I am confident that the Deputy Minister cannot give a single instance which is the result of the contribution of the foreign experts and which had nothing to do with the Utah Digital Signature Act.
What we have done is to copy word for word what is in the Utah Digital Signature Act apart from removing sections aimed to protecting the interests of the consumers.
Have we been misled and even cheated by the foreign experts, who were supposed to advise us on drafting our digital signature law? I am still waiting for the Deputy Minister to answer how many, the identity, the costs of these foreign experts and what good they have done!
What is our own input in the drafting of the Digital Signature Bill? If the Bill before the House is all that we want, it is very easy and needs only one or two days just to copy from the Utah legislation. We have given no new inputs whatsoever. To be fair, we do have one new input - which is to render the Bill into Bahasa Malaysia - and it took us some two years to do this. And we still need foreign experts! Is this the way Malaysia is entering the IT era? A quantum leap with no inputs?
I feel very ashamed as a Malaysian that we cannot have the best digital signature law in the world by benefitting from the experiences of other nations. There is nothing wrong in following the good examples of others but we must have our own inputs.
Unfortunately, there seems to be a general absence of the feeling of shame. It was reported today that at the National Congress on Vision 2020, the Prime Minister, Datuk Seri Dr. Mahathir Mohamad stressed the need for a strong sense of shame in our society or our people and nation could be destroyed.
[The Deputy Minister told the House that the amendment proposed would be included in the regulations].
My last amendment is to insert a new Section 61(A) as follows:
"61 (A) Collection based on suitable guaranty.
(1) (a) Notwithstanding any provision in the suitable guaranty to the contrary:
(i) if the suitable guaranty is a surety bond, a person may recover from the bond surety the full amount of a claim against the bond principal or, if there is more than one such claim during the term of the bond, a ratable share, up to a maximum total liability of the surety equal to the face amount of the bond; or
(ii) if the suitable guaranty is a letter of credit, a person may recover from the issuing financial institution a claim against the customer named in the credit, or, if there is more than one claim during the term of the letter of credit, a ratable share, up to a maximum total liability of the issuer equal to the face amount of the credit.
(b) Claimants may recover successively on the same suitable guaranty, provided that the total liability on the guaranty to all persons making claims during its term may not exceed the face amount of the guaranty.
(2) In addition to the actual damages suffered by the claimant, the claimant may recover from the proceeds of a suitable guaranty, until depleted, reasonable legal fees, and court costs incurred by the claimant in collecting the claim.
(3) (a) A claim against a surety or issuer of a suitable guaranty must be filed in writing with the Controller and the surety or issuer, within one year after the claim arose.
(b) A claim must include a statement of the amount claimed and the basis for the claim.
(c) An action or suit against the surety or issuer of the suitable guaranty must be filed with the court within one year after the claim is filed with the Controller.
(d) Except as prohibited by rule made by the Controller, a suitable guaranty may, by contract, alter the obligations under this subsection."
This is another provision in the Utah Digital Signature Bill but which has been dropped in the Bill without good reason. In fact, if we look at the various provisions which have been removed from the Bill, e.g. suitable guaranty, merit audit performance certificate, hazardous activity, collection based on suitable guaranty, they all concern safeguards to firstly, ensure that CAs operate with responsiblity to avoid any CA scandal and secondly, to protect the interests of consumers.
The message the drafters and the Ministry of Energy, Telecommunications and Posts is sending with the removal of these sections in the Bill is not good at all - reinforcing the picture that the government is not concerned about the interests of consumers but only interested in impressing international IT/multimedia companies.
This is a bad start for the introduction of the first batch of cyberlaws in Malaysia and I hope we do not make the same mistake for future cyberlaws. Our first concern and priority must be the interests of Malaysians and not that of foreign companies.
[Deputy Minister said this provision will also be in the regulations.]
We will be following closely the regulations that would be made under this Act to ensure that the promises given by the Deputy Minister that my various amendments would be written into the regulations.
Malaysia has lost a great opportunity to have the best digital signature law in the world, as we have ended up with the worst digital signature law. The Ministry of Energy, Telecommunications and Posts should set up a task force to study in depth the defects and weaknesses of the Utah legislation and now our own digital signature law, so that an amendment Bill could be introduced in the July meeting of Parliament to overcome these defects and weaknesses, including the various issues I had raised such as risks and liability allocation.
In actual fact, which Minister would be responsible for the Digital Signature Act. If we follow the Utah example, the official responsible is the Secretary of State for Commerce (whose counterpart should be the Minister for Domestic Trade and Consumer Affairs), as this is a subject which is more concerned about electronic commerce rather than telecommunications.
I do not know whether the Digital Signature Act would come under the jurisdiction of the Minister for Telecommunications, for although the Telecommunications Minister introduced the Computer Crimes Bill in the House, it will be the Home Minister who ill have jurisdiction over computer crimes rather than the Telecommunications Minister.
If the Digital Signature Act comes under electronic commerce, then it should more properly be introduced in this House by the Minister for Domestic Trade and Consumer Affairs - except that there is now no Minister for this portforlio as the incumbent had to resign to assume the post of Selangor Mentri Besar when it is discovered that there is not a single Selangor UMNO Exco or Assembly member who is "clean and capable" enough to become head of government in the state.
[The Deputy Minister, Datuk Chan Kong Choy, replied: "Tuan Pengerusi, bahawa semua perkara yang saya sebutkan tadi akan dimasukkan dalam peraturan-peraturan yang akan di tetapkan oleh Yang Berhormat Menteri kemudian dan pihak kerajaan akan menentukan kementerian yang mana yang akan dipertanggunghjawabkan untuk melaksanakan undang-undang digital signature ini."]