(The French Members of the Working Group did not participate in the adoption of this Statement. The UK Data Protection Registrar has reservations vis-á-vis this statement.)

The protection of privacy and personal correspondence against arbitrary intrusions is a human right (Art.12 Universal Declaration of Human Rights; Art.17 International Covenant on Civil and Political Rights; Art.8 European Convention on Human Rights). In the Information Society where communication takes place mainly via telecommunications facilities this means that everybody has a right to have his electronically transmitted messages treated confidentially and that no unauthorised person can intercept their contents.

Following a proposal of the International Working Group on Telecommunications and Media the 7th International Conference of Data Protection and Privacy Commissioners has pointed out in a resolution at its session in Luxembourg on 26 September 1985, that integration and digitalisation increase the danger of unauthorised recording and evaluating of transmitted information. The 11th International Conference of Data Protection and Privacy Commissioners at its session on 30 August 1989 in Berlin has called for data security facilities to be offered against unauthorised access, manipulation, interception and for guaranteeing the authenticity of the sender on the highest technical level and at acceptable costs.

The only measure meeting these demands is the encryption of messages. The offer of sufficient encryption methods for the users of telecommunications services is therefore essential for guaranteeing privacy. It is also a key element of privacy-enhancing technologies. With respect to mobile communications the 12th International Conference of Data Protection and Privacy Commissioners at its session on 19 September 1990 in Paris called for network operators to be obliged to offer subscribers to mobile telephone networks effective encryption procedures. The offer of end-to-end encryption facilities has been a key demand of Data Protection Commissioners when discussing the Draft European Telecommunications Directive (cf. Art.4 of the Common Position).

The International Working Group on Data Protection in Telecommunications confirms its demand that for guaranteeing confidentiality users of electronic telecommunications services should have the opportunity to encrypt their messages on a level of their own free choice.

The prohibition of encrypting messages that is being discussed in some countries goes against this principle. It would not only hinder citizens in looking after their human right to unobservable communications, but also foster the abuse of telecommunications for illegal purposes. It could be bypassed at any time by those having the technical and financial means, so that a prohibition would only affect unsuspecting citizens.

A restriction of encryption facilities e.g. by licensing the necessary software could have the same effect. It is for the reasons mentioned above in particular not suitable to fight organised crime.

The International Working Group on Data Protection in Telecommunications understands the demands of law enforcement agencies to have access to encrypted messages for purposes of preserving public security and criminal prosecution. The 14th International Conference of Data Protection and Privacy Commissioners on 29 October 1992 in Sydney has welcomed a report by the Working Group on the access of law enforcement agencies to telecommunications contents. The Conference agreed that the technical and legal development in the field of telecommunications secrecy had to be monitored closely to protect the privacy of the individual against excessive surveillance.

The Working Group doubts that any regulation of encryption facilities for the purposes of law enforcement agencies can contribute adequately to fighting serious crimes. An intrusion on telecommunications secrecy for fighting less serious offences would be excessive anyway. All the measures that have been discussed (licensing of software, regulation of import and export, deposit of keys, hardware back-doors like the "clipper-chip") would lead to a weaker protection, as these solutions could also be used illegally. The enforcement of legal requirements only to use certain licensed keys would reverse the relationship between confidentiality as a rule and lawful access as an exception. Since legal requirements in this field can easily be bypassed (e.g. by using hidden codes) this would amount to excessive and in the end futile surveillance of the individual.There is therefore a difference between interference with traditional forms of correspondence and with electronic communications: Interference with the former may be legal if it "... is necessary in a democratic society ... for the prevention of disorder or crime ..." (Art.8 para.2 European Convention on Human Rights); interference with the latter for the purpose of enforcing limitations of the use of cryptographic methods could lead to the abandonment of confidential electronic communications altogether.

The International Working Group on Data Protection in Telecommunications welcomes the OECD Guidelines for Cryptography Policy of 27 March 1997 as well as the Ministerial Declaration of the European Ministerial Conference (Bonn, 6-8 July 1997) which stress the importance of trustworthy cryptographic methods in order to generate user confidence in reliable information and communications systems. The OECD Guidelines also underline the principle that free user choice of cryptographic methods should not be limited by new legislation (Principle 2 of the OECD Guidelines). National policies allowing for lawful access must respect this principle to the greatest extent possible (Principle 6). The Working Group attaches particular importance to the privacy implications raised by cryptographic methods being used to ensure the integrity of data in electronic transactions (Principle 5). The collection of personal data and the creation of systems for personal identification in connection with the use of these methods require special privacy safeguards to be established.