[C11] Finally, the Council of Europe has devoted considerable resources to studying the subject of computer-related crime, and is considering, suggesting an international convention to address the issue. Such a convention could address matters such as exchange of information among government agencies in cases involving the use of cryptography

Special Issues for Consideration with Cryptography Policy

[C12] None of these ongoing efforts, however, attempts to address comprehensively international cryptography policy, or to balance the competing interests that international cryptography policy can advance or retard. In this area, these OECD Guidelines for Cryptography Policy can be of considerable assistance to Member countries by raising a number of special issues for their consideration and suggesting favourable resolutions where conflicts exist.

[C13] One of these special issues is the urgent need for international co-ordination and co-operation on cryptography policy. The GII/GIS is, by its name and nature, global, making jurisdictional boundariesÑ difficult to enforce. Efforts by a single national government to regulate the use of cryptography in ways that are incompatible with other national governments pose a serious risk that the regulating government's policies will be ineffective. While recognising that a state's sovereign responsibility to protect public safety and national security may require it to take unilateral action disparate national policies will also impair the development the GII/GIS. compelling the use of numerous. possibly incompatible products to communicate and transact business. when one might do Disparate national policies could also create barriers to international trade.

[C14] Without question, the most critical conflict presented by cryptography. and the one most likely to lead to disparate national regulation, is the conflict between privacy and public safety. Effective encryption is an essential tool in a networks environment for protecting the privacy of personal information and the secrecy of confidential business information. The failure to use encryption in an environment where data is not completely secure can put a number of interests at risk, including public safety, law enforcement and national security, depending on the type of information at issue. In some cases, such as where national or international law calls for maintaining the privacy of data or with respect to critical infrastructures, governments may require the use of encryption of a minimum strength.

[C15] However, the use of encryption also impairs the ability of governments to protect public safety and national security. In most countries, law enforcement can lawfully access stored data under certain conditions, and in some countries, law enforcement may, with legal authorisation, intercept communications Both of these important law enforcement tools could be eliminated by the use of encryption that does not provide for lawful access to plaintext or cryptographic keys. For countries that permit either technique. balancing privacy (including economic privacy) concerns with the risk to public safety and national security is difficult. and politically-charged.

[C16] If law enforcement access is to be preserved. exactly how this should be done is unclear. Member countries are following different approaches and are seeking innovative solutions from industry. One approach under general consideration is key management systems where cryptographic keys are stored in a particular place or in a particular way. perhaps with a trusted third party. If this approach is taken other issues that must be addressed include where keys will be stored. who Will be allowed to hold keys. and what will be the responsibilities and the liabilities of key holders.