Privacy Law and Policy Reporter
The Group of Experts is meeting again to finalise the Guidelines in mid-December 1996, but further drafts are not available at this time. Norman Raeburn (Chairman of the Expert Group) and Steve Orlowski from the Commonwealth Attorney-General's Department will attend in the Australian delegation, but the Privacy Commissioner will not attend this time. See 'OECD Searches for Crypto-Consensus' (3 PLPR 21) for background to the OECD deliberations, and further articles therein on encryption issues.
In these extracts, due to space limitations, some introductory material in the draft, and the footnotes have been omitted. Use of capitals and italics has also been changed. The exact significance of text in square brackets is uncertain, but is believed to be matters which are listed for discussion at the December meeting. Readers are urged to consult the above-listed web sites for the full draft and also to check for any subsequent `unofficial' versions. (Editor)
 -- the Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data of 23 September 1980 [C(80)58/FINAL];
 -- the Declaration on Transborder Data Flows adopted by the Governments of OECD Member countries on 11 April 1985 [Annex to C(85)139];
 -- the Recommendation of the Council concerning Guidelines for the Security of Information Systems of 26 November 1992 [C(92) 188/FINAL];
 [-- the Directive [95/46/EC1 of the European Parliament and of the Council of the European Union of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data]
 [-- the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-use Goods and Technologies of 1 November 1996, ]
 [-- the Decision [94/942/PESC] and Regulation [(EC) 3381/94] of the Council of the European Union of July 1995 on the export of dual-use goods;]
 [-- and the Recommendation [R(95)13] of the Council of Europe of 11 September 1995 concerning, problems of criminal procedural law connected with information technology;]
 -- that this emerging information and communications network is likely to have an important impact on economic development and world trade;
 -- that the users of information technology must have trust in the security of information and communications systems, and in the confidentiality, authentication, integrity and non-repudiation of data on those systems; [and in the confidentiality and integrity of data on those systems and the ability to authenticate that data;]
 -- that data is increasingly vulnerable [to sophisticated threats to its security] [that data is increasingly valuable,] and ensuring the security of data through legal procedural and technical means is fundamentally important for national and international information infrastructures to reach their full potential;
 -- that cryptography has a variety of applications related to the protection of privacy, intellectual property, business and financial information, public safety and national security, and the operation of electronic commerce;
 -- that the use of cryptography for authentication, integrity and non-repudiation is distinct from its use for confidentiality, [the use of cryptography to ensure integrity of data, including authentication and non-repudiation mechanisms, is distinct from its use to ensure confidentiality of data,] and that each of these uses presents different [benefits and] issues;
 -- that the failure to utilise cryptographic methods can [may) adversely affect [personal] privacy by limiting the abilities of individuals to achieve confidentiality of data, or by facilitating [allowing] unlawful or unauthorised access to data;
 -- that cryptography is only one of many tools in an information security system; the quality of information protection afforded by cryptography depends not only on the selected technical means, but also on good [technical] managerial, organisational and operational procedures;
 [-- that there are legitimate commercial, administrative and individual needs and uses for cryptography, but that cryptography may also be used by individuals or entities to prevent lawful access to information or for illegal activities, which in turn may [will] affect public safety, law enforcement, [including the enforcement of tax laws/national security, business, privacy or consumer protection [consumer interests]; governments [industry and the general public] are, therefore, challenged to achieve a balanced policy concerning these interests,]
 -- that the inherently global nature of developing information and communications networks necessitates international co-operation on [policy-making, including policy-making on] cryptography issues, and that [it follows, therefore, that] implementation of incompatible national policies will not meet the needs of individuals, business and governments for world-wide technologies [networks] and applications;
 -- that, although national policies should be internationally co-ordinated, this Recommendation of the Council does not affect the sovereign rights of national governments [in respect of public safety, law enforcement and national security;, and that the Guidelines contained in the Annex to this Recommendation are always subject to the requirements of national law;
 [-- that, in the particular case of federal countries, the implementation of this Recommendation may be affected by the division of powers in the federation;]
 -- consult, co-ordinate and co-operate [and take initiatives] at the national and international level in the implementation of the Guidelines;
 [-- agree as expeditiously as possible on specific initiatives for the application of the Guidelines.]
 -- act on the need for practical and operational solutions in the area of international cryptography policy by using the Guidelines as a basis for agreements on specific issues related to international cryptography policy;
 -- disseminate the Guidelines throughout the public and private sectors to promote awareness of the issues and policies related to cryptography;
 [-- remove, or avoid creating in the name of cryptography policy, unjustified obstacles to international trade and the development of information and communications networks, ]
 [-- state clearly and make publicly available, any national controls imposed by governments relating to the use of cryptography;]
 -- review the Guidelines at least every five years, with a view to improving international co-operation on issues relating to cryptography policy.
The Guidelines are intended:
 -- to [strengthen privacy and] ensure the security of data in national and global information and communications networks while recognising the possible effects [of cryptography] on [without adversely affecting] public safety, law enforcement or national security;
 -- to raise awareness of the need for compatible cryptography policies and laws, as well as the need for interoperable [and portable] cryptographic methods in national and global information and communications networks;
 -- to assist decision-makers [in the public and private sectors] in developing and implementing coherent national and international policies, methods, measures, practices and procedures for the [appropriate and] effective use of cryptography;
 -- to promote co-operation between the public and private sectors in the development and implementation of national and international cryptographic policies, methods, measures, practices and procedures;
 -- to foster confidence in information and communications networks and the manner in which they are used;
 [-- to promote international trade by ensuring cost effective, interoperable cryptographic systems;]
 [-- to promote international co-operation between governments, business and research communities and within [the framework of] [internationally recognised, voluntary/ standardisation organisations [standard-making bodies/ in achieving co-ordinated use of cryptographic methods.]
 The Guidelines are primarily aimed at governments, in terms of the policy recommendations therein, but with anticipation that they will be widely read and followed by both the private and public sectors.
 [These Guidelines do not apply to cryptography policies relating to classified information.]
For the purposes of these Guidelines:
 `Authentication' means a function [mechanism] for establishing the validity of a claimed identity of a user, device or another entity in an information system.
 `Confidentiality' means the property [characteristic] that information is not made available or disclosed to unauthorised individuals, entities or processes.
 `Cryptography' means the discipline which embodies principles, means, and methods for the transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation, and/or prevent its unauthorised use.
 `Cryptographic key' means a parameter used [in conjunctional] with an algorithm to transform, validate, authenticate, encrypt or decrypt data.
 `Cryptographic methods' means [the] hardware and [or] software techniques, services, systems and [or] products that are used for ensuring the confidentiality, authentication, integrity, and non-repudiation of data [ensuring the confidentiality and integrity of data, including authentication and non-repudiation mechanisms].
 `Data' means the representation of information in a [formalised] manner [in digital form]) suitable for communication, interpretation, storage, or processing.
 `Decryption' means the transformation of encrypted data back to its original intelligible form (plaintext) by using a cryptographic method [key and cryptographic algorithm].
 `Encryption' means the transformation of data to produce unintelligible data [data which is unintelligible to a third party] (encrypted data) [to ensure its confidentiality] by using a cryptographic method [key and cryptographic algorithm].
 `Integrity of data' means the property [characteristic] that data has not been modified or altered in an unauthorised manner.
 `Lawful access' means the ability to access cryptographic keys or the plaintext of encrypted data granted to third-party individuals or entities, including government entities, in accordance with law. [access by third party individuals or entities, including governments, to plaintext of encrypted data, in accordance with law.] [access to plaintext of encrypted data or access to cryptographic keys allowed, recognised or sanctioned by law.]
 `Key management system' means the [a] system for generation, storage, distribution, revocation, deletion, archiving and [or] application/use of cryptographic keys.
 `Keyholder' means an [the] individual or entity [lawfully] in possession [and/or control] of cryptographic keys. A key holder is not necessarily a user of the key.
 `Non-repudiation' means a function [mechanised for preventing an individual or entity from denying having performed a particular action related to data.
 `Plaintext' means intelligible data, the semantic content of which is available.
 [`User' means an [the] individual or entity that employs [uses] cryptographic methods, unless indicated otherwise by context.]
4. Integration [dependence] [interdependency of principles]
 The Principles in Section V of this Annex, each of which addresses an important policy concern, are interdependent and must [should] be implemented as a whole so as to balance the various interests at stake. No principle should be implemented in isolation from the rest. [The Principles in Section V of this Annex [are presented in an [logical] order so the concepts expressed progress from one to the next. The Principles do not appear in order of priority. Each of these Principles independently addresses important policy concerns. However, these Principles are intended to be interdependent: they should be taken [adopted] as a whole [and no individual Principle should be implemented [at the expense of or] in isolation from the others]. The Principles are meant to be implemented in a way which balances the various interests at stake.]
1. TRUST IN CRYPTOGRAPHY [CRYPTOGRAPHIC METHODS]
 CRYPTOGRAPHIC METHODS TO PROTECT DATA SHOULD VALIDLY GENERATE TRUST IN THE USE OF INFORMATION SYSTEMS.
 Cryptographic methods and services should be trustworthy so that the users of cryptography can have confidence in them. There are a number of mechanisms which could build user trust in cryptographic methods, including government regulation, licensing end market mechanisms. Evaluation of products, services and systems against certified or market-accepted [widely accepted] criteria and methods could also provide quality control mechanisms to encourage trust in cryptography. Another way to generate confidence in cryptographic methods [as a means for achieving data security; might be for governments themselves to utilise commercially available cryptographic methods for appropriate government information security purposes.
2. [VOLUNTARY] [FREE] CHOICE OF CRYPTOGRAPHIC METHODS
 USERS SHOULD HAVE A RIGHT TO CHOOSE ANY CRYPTOGRAPHIC METHOD.
 Users must [should; have access to cryptography that meets their needs, so that they will [can] trust in the security of information and communications systems, and the confidentiality and integrity of data on those systems. Individuals or entities who own, control, access, use or store data may have a responsibility to protect the confidentiality and integrity of such data, and may therefore be responsible for using appropriate cryptographic methods. It is expected that a variety of cryptographic methods may be needed to fulfil different data security requirements. Users of cryptography should be free [subject to lawful constraints] to determine the type and level of data security needed, and to select and implement appropriate cryptographic methods, including a key management system that suits their needs [which may include provisions for lawful access to plaintext or cryptographic keys].
 Governments may implement policies that require the use of cryptographic methods to protect [or provide authentication, integrity and non-repudiation services for] data if necessary to protect a compelling public interest. Government controls on [the use on cryptographic methods should be no more than are essential to the discharge of government responsibilities.
3. MARKET DRIVEN DEVELOPMENT OF CRYPTOGRAPHY
 CRYPTOGRAPHIC METHODS SHOULD BE [FREELY/DEVELOPED [IN THE MARKETPLACE] IN RESPONSE TO THE NEEDS AND DEMANDS OF INDIVIDUALS, BUSINESSES AND GOVERNMENTS.
 The development and provisions of cryptographic methods should be determined by the market in an open and competitive environment, which may include government sponsored cryptographic methods. Such an approach would [will] best [is likely to] ensure that solutions keep pace with changing technology, the demands of users and evolving threats to information systems security. The development of [the voluntary] international technical standards, criteria and protocols related to cryptographic methods should also be market driven. Governments should encourage and co-operate with business and the research community in the development of cryptographic methods [that protect and promote privacy, the *security of data and information systems, commerce, public safety, law enforcement and national security, [without unduly restricting the marketplace or global trade].]
4. STANDARDS FOR [INTEROPERABILITY OF] CRYPTOGRAPHIC METHODS
 TECHNICAL STANDARDS, CRITERIA AND PROTOCOLS FOR CRYPTOGRAPHIC METHODS SHOULD BE DEVELOPED AND PROMULGATED AT THE NATIONAL AND INTERNATIONAL LEVEL [TO ACHIEVE GLOBAL INTEROPERABILITY].
 Recognised standards [-making] bodies, governments and business [as well as experts from the public sector and research community,] should share information and collaborate to develop and promulgate interoperable technical standards, criteria and protocols for cryptographic methods. [Relevant] national standards for cryptographic methods, if any, should be consistent with international standards to facilitate global interoperability. Mechanisms to evaluate conformity to technical standards, criteria and protocols for interoperability [and portability] of cryptographic methods should be developed.
5. PROTECTION OF PRIVACY AND PERSONAL DATA
 THE FUNDAMENTAL RIGHTS OF INDIVIDUALS TO PRIVACY, INCLUDING SECRECY OF COMMUNICATIONS AND PROTECTION OF PERSONAL DATA, SHOULD BE RESPECTED IN NATIONAL CRYPTOGRAPHIC POLICIES [AND IN THE IMPLEMENTATION AND USE OF CRYPTOGRAPHIC METHODS].
 While governments should implement policies that promote authentication, integrity and non repudiation in electronic exchanges, [policies that promote the use of cryptography to ensure the integrity of data in electronic transactions, including authentication and non-repudiation mechanisms], however, the privacy consequences of these cryptographic functions should be clearly understood, and strong privacy safeguards should be established [to avoid risks to personal privacy.] The use of personal identification mechanisms in concert with cryptographic systems may be regulated by national data protection legislation and in accordance with [domestic and international] human rights [law]. [The OECD Guidelines for the Protection of Personal Data provide general guidance concerning, the collection and management of personal information, which should he applied in concert with relevant national law when implementing; cryptographic methods, particularly in establishing procedures for certification authorities and key management systems.]
6. LAWFUL ACCESS
 NATIONAL CRYPTOGRAPHY POLICIES MAY [CAN] ALLOW LAWFUL ACCESS TO PLAINTEXT OF ENCRYPTED DATA. THESE POLICIES MUST RESPECT THE OTHER PRINCIPLES CONTAINED IN THESE GUIDELINES TO THE GREATEST EXTENT POSSIBLE.
 Where access to the plaintext of encrypted data, or to cryptographic keys if appropriate, is requested under lawful process, the individual or entity requesting access must have a legal right to possession of the plaintext, and once obtained the data should [must] only be used for lawful purposes. The process [event] through which lawful access is obtained should be recorded, so that disclosure of cryptographic keys or data can be audited in accordance with national law. Where access is lawfully requested [obtained], such access [lawful access] should be granted within designated time limits appropriate to the circumstances. The [establishment of and changes in the] conditions of lawful access should be stated [notified] clearly, published, and apparent to users. keyholders and providers of cryptographic methods.
 When developing policies on cryptographic methods that provide for lawful access, governments should weigh carefully the risks of fraud [misuse], the additional expense of any supporting infrastructure, [the prospects of technical failure,] and other costs, against the perceived benefits, including benefits for [the public interest] public safety, law enforcement and national security. [Governments should promote cryptographic methods with mechanisms that deter criminal abuse and therefore minimise the need for lawful access.] This Principle should not be interpreted as implying that governments enact legislation that would allow lawful access to encrypted data. [Governments should not create lawful access legislation that is more intrusive than other laws about the gathering of evidence.) Lawful access across national borders may [should] be achieved [only] through international agreements and co-operation [between the countries concerned].
 Key management systems are a possible solution which can balance the interest of users and law enforcement authorities; these techniques may also be used to recover data, when keys are lost. [Preference should be given to the development and use of technical solutions that permit national key management infrastructures while allowing international communications.] Lawful access to cryptographic keys should [must] recognise the distinction between keys which can be used to protect confidentiality, and keys which can be used for authentication purposes [can be used to ensure data integrity] only. A cryptographic key that can be used for authentication [data integrity] purposes only should not be made available without the [explicit] consent of the individual or entity in lawful possession of that key [entity which it authenticates].
 WHETHER ESTABLISHED BY CONTRACT OR LEGISLATION, THE LIABILITY OF INDIVIDUALS AND ENTITIES THAT [OFFER CRYPTOGRAPHIC SERVICES OR] HOLD OR ACCESS CRYPTOGRAPHIC KEYS SHOULD BE CLEARLY STATED [DEFINED].
 Subject to government legislation designed to protect public interests, [including consumer protection/private parties are free [users should be freed to establish, by prior agreement, the liability of individuals and entities who hold or have access to cryptographic keys. The liability of any individual or entity [including a government entity, [of any party] that holds cryptographic keys on behalf of another, or which gains access to cryptographic keys of another should be made clear, by contract and, where appropriate, by [either] national legislation or international agreement. The liability of users for misuse of their own keys should also be made clear [explicit). A keyholder [or any third party that has legitimate contact with keys] should [can; not beheld liable for providing cryptographic keys or plaintext of encrypted data in accordance with lawful process [access/ [request]. The party that obtains lawful access should be liable for misuse of cryptographic keys that it has obtained.
8. INTERNATIONAL CO-OPERATION
 GOVERNMENTS SHOULD CO-OPERATE TO HARMONISE CRYPTOGRAPHY POLICIES. AS PART OF THIS EFFORT, GOVERNMENTS SHOULD REMOVE, OR AVOID) CREATING IN THE NAME OF CRYPTOGRAPHY POLICY, UNJUSTIFIED OBSTACLES TO TRADE.
 In order to promote the broad international acceptance of cryptography and enable [attain] the full potential of the national and global information and communications networks, cryptography policies adopted by a country should harmonise as much as possible with similar policies of other countries. To that end, these Guidelines should be used for national policy formulation and in preparing national regulations on cryptography. [Aspects of cryptography policy which should be harmonised at the international level include regulation and certification of keyholders or key management systems, mutual recognition of digital signatures, conditions of lawful access, requirements for privacy protection, and government controls or regulations placed on cryptographic methods, including their import, export and use.]
 [In order to avoid creating artificial obstacles to international trade, member countries should avoid developing laws, policies and practices which create unjustified obstacles to global electronic commerce. [Member countries should avoid unnecessary hindrances to international availability of high quality cryptographic products.] No government should impede the free pow of encrypted data through its national boundaries [merely on the basis of cryptography policy].