To whom it may concern:

Below you find my comments on Austria's comments on the “November Draft” of the OECD Cryptography guidelines.

Yours sincerely,
Wolfgang Schreiner
Research Institute for Symbolic Computation (RISC-Linz),
Johannes Kepler University, A-4040 Linz, Austria (Europe)
http://www.risc.uni-linz.ac.at/

In general I support Austria's comments on the “November Draft” of the OECD Cryptography guidelines. They contain various suggestions that are essential for a reasonable international cryptography policy and consider the privacy concerns of users better than the September and November drafts.

However, there are two clauses I'd like to specifically comment on:

[69] ...
[Governments should promote cryptographic methods with mechanisms that deter criminal abuse and therefore minimise the need for lawful access.]

This sentence is meaningless. How can you develop a cryptographic method that cannot be used for criminal purpose as well?

I support Austria's position

Austria repeats that this clause refers only to safeguards against abuse other than lawful access itself.

which however implies that “lawful access” is an instance of “abuse” (which it *technically* of course is).

[69] ...
Governments should not create lawful access legislation that is more intrusive than other laws about the gathering of evidence.

I suggest to add the clause which would clarify the issue and bring it to the point:

In particular, governments should not create legislation that gives access to cryptographic keys or plaintext without knowledge of the user.

Any other interpretation would in practice yield the possibility of uncontrollable interception of communication. With this clause being adopted, privacy concerns of users would be reasonably well considered.