Home/red-rock-eater/OECD Crypto Guidelines

OECD Crypto Guidelineswriting

militaryinternationalcivil-libertiesprivacycryptographylibrariestelecommunicationsrrelawcommerceforwarded-contentgovernment-infoauto-importedrre-post
1997-03-27 · 6 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/1997/OECD.Crypto.Guidelines.html

Content

This web service brought to you by Somewhere.Com, LLC.

OECD Crypto Guidelines

``` ---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help@weber.ucsd.edu

---

Date: Thu, 27 Mar 1997 16:46:02 -0500 From: Marc Rotenberg Subject: OECD Crypto Guidelines

The OECD Cryptography Policy Guidelines were formally announced today, following an intensive year-long negotiation. EPIC will be posting a complete copy of the Guidelines at our web site [http://www.epic.org/] along with a detailed analysis.

Journalists interested in a briefing should contact the Communications Division of the OECD. For further information and inquiries, please contact the Information, Computer and Communications Policy Division (fax (33) 01 45 24 93 32).

General information about the OECD may be found at the OECD web site [http://www.oecd.org]. Specific information about the work of the OECD in the areas of security, privacy, intellectual property, and cryptography is available at http://www.oecd.org/dsti/iccp/legal/top-page.html. The OECD Privacy Principles are online at http://www.oecd.org/dsti/iccp/legal/priv-en.html

Among the key outcomes:

-- Recognition of commercial importance of cryptography. The Guidelines recognize that cryptography is an effective tool for the secure use of information technology by ensuring confidentiality, integrity and availability of data and providing authentication and non-repudiation mechanisms.

-- Rejection of key escrow encryption. The US sought endorsement for government access to private keys. Initial drafts of the guidelines included this recommendation. The final draft does not. OECD countries rejected this approach.

-- Endorsement of voluntary, market-driven development of crypto products. The OECD emphasized open, competitive markets to promote trade and commerce in new cryptographic methods.

-- Endorsement of strong privacy safeguards. The OECD adopted one of strongest privacy principles found in any international agreement, including the obligation to apply the OECD privacy principles to crypto products and services. The OECD also noted favorably the development of anonymous payment schemes which would minimize the collection of personal data.

-- Removal of Restriction on Cryptography. The OECD urged member countries to remove, and avoid creating, obstacles to trade based on cryptography policy. This guideline should lead to further liberalization of export control policies among the OECD member countries.

EPIC will also provide briefings for organizations interested in the intent and application of the OECD Cryptography Guidelines.

Marc Rotenberg Director, EPIC Member, OECD ad hoc Expert Panel on Cryptography Policy

---

[http://www.oecd.org/news_and_events/release/nw97-24a.htm]\ OECD News Release Paris, 27 March 1997

OECD ADOPTS GUIDELINES FOR CRYPTOGRAPHY POLICY

The OECD has adopted Guidelines for Cryptography Policy, setting out principles to guide countries in formulating their own policies and legislation relating to the use of cryptography.

The Recommendation which came before the governing body of the OECD, the Council, on Thursday 27 March, is a non-binding agreement that identifies the basic issues that countries should consider in drawing up cryptography policies at the national and international level. The Recommendation culminates one year of intensive talks to draft the Guidelines.

The need for Guidelines emerged from the explosive worldwide growth of information and communications networks and technologies and the requirement for effective protection of the data which is transmitted and stored on those systems. Cryptography is a fundamental tool in a comprehensive data security system. Cryptography can also ensure confidentiality and integrity of data and provide mechanisms for authentication and non-repudiation for use in electronic commerce.

Governments want to encourage the use of cryptography for its data protection benefits and commercial applications, but they are challenged to draft cryptography policies which balance the various interest at stake, including privacy, law enforcement, national security, technology development and commerce. International consultation and co-operation must drive cryptography policy because of the inherently international nature of information and communications networks and the difficulties of defining and enforcing jurisdictional boundaries in the new global environment.

The Guidelines are intended to promote the use of cryptography, to develop electronic commerce through a variety of commercial applications, to bolster user confidence in networks, and to provide for data security and privacy protection.

Some OECD Member countries have already implemented policies and laws on cryptography, and many countries are still developing them. Failure to co-ordinate these national policies at the international level could introduce obstacles to the evolution of national and global information and communications networks and could impede international trade. OECD governments have recognised the importance of international co-operation, and the OECD has contributed by developing consensus on specific policy and regulatory issues related to cryptography and, more broadly, to information and communications networks and technologies.

The Guidelines set out eight basic Principles for cryptography policy:

1.Cryptographic methods should be trustworthy in order to generate confidence in the use of information and communications systems.

2.Users should have a right to choose any cryptographic method, subject to applicable law.

3.Cryptographic methods should be developed in response to the needs, demands and responsibilities of individuals, businesses and governments.

4.Technical standards, criteria and protocols for cryptographic methods should be developed and promulgated at the national and international level.

5.The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.

6.National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.

7.Whether established by contract or legislation, the liability of individuals and entities that offer cryptographic services or hold or access cryptographic keys should be clearly stated.

8.Governments should co-operate to co-ordinate cryptography policies. As part of this effort, governments should remove, or avoid creating in the name of cryptography policy, unjustified obstacles to trade.

The Guidelines advise that the eight elements should be taken as a whole in an effort to balance the various interests at stake. These Principles are designed to assist decision-makers in the public and private sectors in developing and implementing coherent national and international policies for the effective use of cryptography. Member countries should establish new, or amend existing, policies to reflect them. Any national controls on use of cryptography should be stated clearly and be publicly available.

Drafting of the Guidelines for Cryptography Policy began in early 1996, when the OECD formed an Ad hoc Group of Experts under the chairmanship of Mr. Norman Reaburn of the Attorney-General's Department of Australia. More than 100 representatives from OECD Member countries participated, including government officials from commerce, industry, telecommunications and foreign ministries, law enforcement and security agencies, privacy and data protection commissions, as well as representatives of private sector. The Business and Industry Advisory Committee to the OECD was involved and experts on privacy, data protection and consumer protection also participated.

The policy recommendations in the Guidelines are primarily aimed at governments, but it is anticipated that they will be widely read and followed by both the public and private sectors. Governments will now engage in further consultation to co-ordinate and co-operate on the implementation of the Guidelines. In the future, the Guidelines could form a basis for agreements on specific issues related to international cryptography policy. The Guidelines will soon be published as an OECD document for broad distribution to promote awareness and public discussion of the issues and policies related to cryptography.

---

Marc Rotenberg, director * +1 202 544 9240 (tel) Electronic Privacy Information Center * +1 202 547 5482 (fax) 666 Pennsylvania Ave., SE Suite 301 * rotenberg@epic.org Washington, DC 20003 USA + http://www.epic.org

--- ```

This web service brought to you by Somewhere.Com, LLC.