Ad hoc Group of Experts on Cryptography Policy Guidelines

OECD Draft Guidelines for Cryptography Policy September 1996

Working document for 26-27 September 1996 Meeting

COVER MEMORANDUM TO THE COUNCIL

Cryptography Policy at the OECD

[C1] Cryptography technologies and cryptography policy are critical to the development of the Global Information Infrastructure (GII) and the Global Information Society (GIS). Governments and business both have an important role in these fields. Cryptography is mentioned in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the 1992 OECD Guidelines for the Security of Information Systems as one of the technological means to assure protection of personal data and privacy and security of information systems.

[C2] Since 1989, the OECD Information, Computer and Communications Policy (ICCP) Committee has included cryptography technologies and policies in its work on security and privacy. The 1989 report by the OECD Secretariat, Information Network Security, included a review of cryptography technology and policy issues. These issues were discussed at the OECD Meeting on Information Security in March 1990. The Meeting of Experts on Recent Developments in Protection of Personal Data and Privacy, held on 10 -11 December 1992, was the first OECD meeting to examine in depth cryptography technologies and policies. In four sessions over two days, speakers from the private sector and academia introduced cryptography described various cryptography technologies, and discussed the relevant policy considerations. The Meeting of Experts on Information Infrastructures. which was held at the OECD on 30 November - 2 December 1994, included a session on cryptography policy. The Meeting emphasised the links between cryptography policy, protection of personal data and privacy, security of information systems, and protection of intellectual property, and stressed that the goals of security, privacy and intellectual property protection must be achieved in balance, so that solutions to one do not vitiate another.

[C3] The OECD Ad hoc Meeting of Experts on Cryptography Policy, held on 18-19 December 1995 focused attention on the issues and gave Member countries an opportunity to discuss and compare their national positions on cryptography policy. The Meeting was attended by a diverse group of government representatives -- including representatives of trade. industry and telecommunication ministries. data protection authorities, law enforcement and national security agencies -- the private sector, and technologists. The discussion emphasised the need for global solutions with regard to cryptography policy, or, at least. compatible national solutions that strike the appropriate balance between data protection and law enforcement.

[C4] The private sector has played an important role in the development of cryptography policy at the OECD. In accord with the 1995 OECD Ministerial mandate that non-governmental partners be included in activities relating to GII/GIS the ICC/BIA/OECD Business-Government Forum on Global Cryptography Policy was held on 19-20 December 1995 in conjunction with the Ad hoc Meeting. At the Forum. the private sector presented its perspective and outlined a number of business initiatives for global cryptography policy