PresseerklΣrung der OECD zu
GUIDELINES FOR CRYPTOGRAPHY POLICY

Paris, 27 March 1997

OECD ADOPTS GUIDELINES FOR CRYPTOGRAPHY POLICY

The Recommendation which came before the governing body of the OECD, the Council, on Thursday 27 March, is a non-binding agreement that identifies the basic issues that countries should consider in drawing up cryptography policies at the national and international level. The Recommendation culminates one year of intensive talks to draft the Guidelines.

The need for Guidelines emerged from the explosive worldwide growth of information and communications networks and technologies and the requirement for effective protection of the data which is transmitted and stored on those systems. Cryptography is a fundamental tool in a comprehensive data security system. Cryptography can also ensure confidentiality and integrity of data and provide mechanisms for authentication and non-repudiation for use in electronic commerce.

Governments want to encourage the use of cryptography for its data protection benefits and commercial applications, but they are challenged to draft cryptography policies which balance the various interest at stake, including privacy, law enforcement, national security, technology development and commerce. International consultation and co-operation must drive cryptography policy because of the inherently international nature of information and communications networks and the difficulties of defining and enforcing jurisdictional boundaries in the new global environment.

The Guidelines are intended to promote the use of cryptography, to develop electronic commerce through a variety of commercial applications, to bolster user confidence in networks, and to provide for data security and privacy protection.

Some OECD Member countries have already implemented policies and laws on cryptography, and many countries are still developing them. Failure to co-ordinate these national policies at the international level could introduce obstacles to the evolution of national and global information and communications networks and could impede international trade. OECD governments have recognised the importance of international co-operation, and the OECD has contributed by developing consensus on specific policy and regulatory issues related to cryptography and, more broadly, to information and communications networks and technologies.

The Guidelines set out eight basic Principles for cryptography policy:

1. Cryptographic methods should be trustworthy in order to generate confidence in the use of information and communications systems.
2. Users should have a right to choose any cryptographic method, subject to applicable law.
3. Cryptographic methods should be developed in response to the needs, demands and responsibilities of individuals, businesses and governments.
4. Technical standards, criteria and protocols for cryptographic methods should be developed and promulgated at the national and international level.
5. The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
6. National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible.
7. Whether established by contract or legislation, the liability of individuals and entities that offer cryptographic services or hold or access cryptographic keys should be clearly stated.
8. Governments should co-operate to co-ordinate cryptography policies. As part of this effort, governments should remove, or avoid creating in the name of cryptography policy, unjustified obstacles to trade.

The Guidelines advise that the eight elements should be taken as a whole in an effort to balance the various interests at stake. These Principles are designed to assist decision-makers in the public and private sectors in developing and implementing coherent national and international policies for the effective use of cryptography. Member countries should establish new, or amend existing, policies to reflect them. Any national controls on use of cryptography should be stated clearly and be publicly available.

Drafting of the Guidelines for Cryptography Policy began in early 1996, when the OECD formed an Ad hoc Group of Experts under the chairmanship of Mr. Norman Reaburn of the Attorney-General's Department of Australia. More than 100 representatives from OECD Member countries participated, including government officials from commerce, industry, telecommunications and foreign ministries, law enforcement and security agencies, privacy and data protection commissions, as well as representatives of private sector. The Business and Industry Advisory Committee to the OECD was involved and experts on privacy, data protection and consumer protection also participated.

The policy recommendations in the Guidelines are primarily aimed at governments, but it is anticipated that they will be widely read and followed by both the public and private sectors. Governments will now engage in further consultation to co-ordinate and co-operate on the implementation of the Guidelines. In the future, the Guidelines could form a basis for agreements on specific issues related to international cryptography policy. The Guidelines will soon be published as an OECD document for broad distribution to promote awareness and public discussion of the issues and policies related to cryptography.

The Cryptography Policy Guidelines are available on this website.

Journalists interested in a briefing should contact the Communications Division. For further information and inquiries, please contact the Information, Computer and Communications Policy Division (fax (33) 01 45 24 93 32).