Austrian Comments on the “November Draft” of the OECD Cryptography Guidelines
2

[31] Should be adopted in the following wording, which addresses the balance mentioned in Item [19] (include first bracket [strengthen privacy and], delete second bracket [of cryptography], include third bracket [without adversely affecting] ):

[31] -- to strengthen privacy and ensure the security of data in national and global information and communications networks without adversely affecting public safety, law enforcement or national security;

[39] Should be adopted.

[49] Both brackets should be deleted. The proposed text defines the subject very well.

[55] Delete first bracket [should] and delete the second bracket, except for the last sentence (“The Principles are meant to be implemented in a way which balances the various interests at stake.”) which emphasises the need for balance. The Item should read:

[55] The Principles in Section V of this Annex, each of which addresses an important policy concern, are interdependent and must be implemented as a whole so as to balance the various interests at stake. No principle should be implemented in isolation from the rest. The Principles are meant to be implemented in a way which balances the various interests at stake.

[59] Delete all brackets. It was agreed that the principles should be regarded as interdependent (see Item [55]), which means that continual references to “lawful constraints”, “lawful access” etc. are not necessary. The Item should read:

[59] Users must have access to cryptography that meets their needs, so that they will trust in the security of information and communications systems' end the confidentiality and integrity of data on those systems. Individuals or entities who own, control, access, use or store data may have a responsibility to protect the confidentiality and integrity of such data, and may therefore be responsible for using appropriate cryptographic methods. It is expected that a variety of cryptographic methods may be needed to fulfill different data security requirements. Users of cryptography should be free to determine the type and level of data security needed, and to select and implement appropriate cryptographic methods, including a key management system that suits their needs

[60] Adopt the first bracket [or provide authentication, integrity and non-repudiation services for] delete the second bracket /the use of] and delete the second sentence, which is too unspecific. Add a second sentence which limits governmental control to measures that help enforce the Guidelines, esp Trust in cryptography (prohibition of unsafe products) and privacy (prohibition of products with secret features that permit their creator to decrypt data without the knowledge of the user).These controls should not overlap with lawful access. The Item should read: Governments may implement policies that require the use of cryptographic methods to protect or provide authentication, integrity and non-repudiation services for data if necessary to protect a compelling public interest. Government shall have the right to impose controls on cryptographic methods and products which are in conflict with these guidelines.

[65] The wording should remain as it is. Delete the text in brackets [AND IN THE IMPLEMENTATION AND USE OF CRYPTOGRAPHIC METHODS); it appears redundant.

[66] Delete first bracket [policies that promote the use of cryptography to ensure the integrity of data in electronic transactions, including authentication and nonrepudiation mechanisms,), include second bracket [to avoid risks to personal privacy.], delete third [domestic and international/, fourth [law/ and fifth bracket [The OECD Guidelines for the Protection of Personal Data provide general guidance concerning the collection and management of personal information, which should be applied in concert with relevant national law when implementing cryptographic methods, particularly in establishing procedures for certification authorities and key management systems./. The Item should read:

[66] While governments should implement policies that promote authentication, integrity and non-repudiation in electronic exchanges, however, the privacy consequences of these cryptographic functions should be clearly understood, and strong privacy safeguards should be established to avoid risks to personal privacy. The use of personal identification mechanisms in concert with cryptographic systems may be regulated by national data protection legislation and in accordance with human rights.

[67] This Item should remain as it is. Delete text in brackets [CAN].