IV. INTEGRATION [DEPENDENCE] [INTERDEPENDENCY OF PRINCIPLES]

[55] The Principles in Section V of this Annex, each of which addresses an important policy concern, are interdependent and must [should] be implemented as a whole so as to balance the various interests at stake. No principle should be implemented in isolation from the rest. [The Principles in Section V of this Annex [are presented in an [logical] order so the concepts expressed progress from one to the next. the Principles/ do not appear in order of priority. Each of these Principles independently addresses important policy concerns. However, these Principles are intended to be interdependent: they should be taken [adopted] as a whole [and no individual Principle should be implemented [at the expense of or] in isolation from the others]. The Principles are meant to be implemented in a way which balances the various interests at stake.]

V. PRINCIPLES

1. TRUST IN CRYPTOGRAPHY [CRYPTOGRAPHIC METHODS]

[56] CRYPTOGRAPHIC METHODS TO PROTECT DATA SHOULD VALIDLY GENERATE TRUST IN THE USE OF INFORMATION SYSTEMS.

[57] Cryptographic methods and services should be trustworthy so that the users of cryptography can have confidence in them. There are a number of mechanisms which could build user trust in cryptographic methods, including government regulation, licensing end market mechanisms. Evaluation of products, services and systems against certified or market-accepted [widely accepted] criteria and methods could also provide quality control mechanisms to encourage trust in cryptography. Another way to generate confidence in cryptographic methods [as a means for achieving data security] might be for governments themselves to utilise commercially available cryptographic methods for appropriate government information security purposes. ⁽⁸⁾

2. [VOLUNTARY] [FREE] CHOICE OF CRYPTOGRAPHIC METHODS

[58] USERS SHOULD HAVE A RIGHT TO CHOOSE ANY CRYPTOGRAPHIC METHOD.

[59] Users must [should] have access to cryptography that meets their needs, so that they will [can] trust in the security of information and communications systems, and the confidentiality and integrity of data on those systems. Individuals or entities who own, control, access, use or store data may have a responsibility to protect the confidentiality and integrity of such data, and may therefore be responsible for using appropriate cryptographic methods. It is expected that a variety of cryptographic methods may be needed to fulfil different data security requirements. Users of cryptography should be free [, subject to lawful constraints] to determine the type and level of data security needed, and to select and implement appropriate cryptographic methods, including a key management system that suits their needs [which may include provisions for lawful access to plaintext or cryptographic keys].

[60] Governments may implement policies that require the use of cryptographic methods to protect [or provide authentication, integrity and non-repudiation services for] data if necessary to protect a compelling public interest. Government controls on [the use of] cryptographic methods should be no more than are essential to the discharge of government responsibilities.