Austrian Comments on the “November Draft” of the OECD Cryptography Guidelines
3

[68] Adopt the text in the first bracket [must/, delete second [event/, third [obtained/, fourth [lawful access/ and fifth bracket [establishment of and changes in the/. Adopt sixth bracket [notified/. The Item should read:

[68] Where access to the plaintext of encrypted data, or to cryptographic keys if appropriate, is requested under lawful process, the individual or entity requesting access must have a legal right to possession of the plaintext. and once obtained the data must only be used for lawful purposes. The process through which lawful access is obtained should be recorded, so that disclosure of cryptographic keys or data can be audited in accordance with national law. Where access is lawfully requested such access should be granted within designated time limits appropriate to the circumstances The conditions of lawful access should be notified clearly, published. and apparent to users, keyholders and providers of cryptographic methods.

[69] The first bracket /misuse/ is too unspecific, the proposed text (fraud) too specific. We propose a wording such as: ... the risks of misuse (fraud, libel, money laundering, conspiracy to commit crimes etc.) ...

Adopt the second bracket [the prospects of technical failure,]. Delete the third bracket [the public interest]; the proposed text is far clearer.

Adopt the text in the fourth bracket [Governments should promote cryptographic methods with mechanisms that deter criminal abuse and therefore minimise the need for lawful access which was proposed by Austria, as a separate sentence, but add the words “and infrastructures” after “methods”. Austria repeats that this clause refers only to safeguards against abuse other than lawful access itself. Austria also suggests that the third sentence (This Principle should not be interpreted as implying that governments enact legislation that would allow lawful access to encrypted data.) be deleted because it is too unspecific and the text in the fifth bracket [Governments should not create lawful access legislation that is more intrusive than other laws about the gathering of evidence.], which was proposed by Austria, be adopted instead.

In the last sentence, the text in the first bracket [should] should be adopted and the two remaining brackets ([only] and [between the countries concerned]) be deleted.

The Item should therefore read:

[69] When developing policies on cryptographic methods that provide for lawful access, governments should weigh carefully the risks of misuse (fraud, libel, money laundering, conspiracy to commit crimes etc.). the additional expense of any supporting infrastructure. the prospects of technical failure, and other costs, against the perceived benefits, including benefits for public safety, law enforcement and national security. Governments should promote cryptographic methods and infrastructures with mechanisms that deter criminal abuse and therefore minimise the need for lawful access. Governments should not create lawful access legislation that is more intrusive than other laws about the gathering of evidence. Lawful access across national borders should be achieved through international agreements and cooperation.

Delete the first bracket [Preference should be given to the development and use of technical solutions that permit national key management infrastructures while allowing international communications.]./, because it addresses international cooperation and does not fit here. Adopt the second bracket /must;, delete the third [can be used to ensure data integrity], fourth [data integrity/ fifth [explicit; and sixth bracket [entity which it authenticates]. The Item should read:

[70] Key management systems are a possible solution which can balance the interest of users and law enforcement authorities; these techniques may also he used to recover data, when keys are lost. Lawful access to cryptographic keys must recognise the distinction between keys which can be used to protect confidentiality, and keys which can be used for authentication purposes only. A cryptographic key that can be used for authentication purposes only should not be made available without the consent of the individual or entity in lawful possession of that key.