[54] (1) TRUST IN CRYPTOGRAPHY

[53] CRYPTOGRAPHIC METHODS TO PROTECT DATA SHOULD VALIDLY GENERATE TRUST IN THE USE OF INFORMATION SYSTEMS.

[56] In order to achieve the full potential of the GII/GIS, it is fundamentally important that the users of information technology have trust in the security of information and telecommunications systems, and the confidentiality and integrity of data on those systems.

[57] Users must have access to cryptography that meets their needs, so that they will trust in the security of information and telecommunications systems, and the confidentiality and integrity of data on those systems.

[58] Cryptographic methods and services should be trustworthy so that the users of cryptography can have confidence in them; there are a number of mechanisms which could build user trust in cryptographic methods, including government regulation, licensing and market mechanisms.

[59] Evaluation of products, services and systems against certified or market-accepted criteria and methods could provide quality control mechanisms to encourage trust in cryptography.

[60] Another way to instil confidence in cryptographic methods as a means for achieving data security might be for governments themselves to utilise commercially available cryptographic methods for appropriate government information security purposes.

SECRETARIAT NOTE: The words “commercially available” to describe cryptographic methods have been included. This is a departure from the previous text, but it addresses the issues raised in the comments received. The wording “commercially available” may express the intent of this paragraph better than the previous wording “internationally agreed”

[61] Cryptography is only one of many tools in an information security system; there are other security tools and measures which can be utilised to protect data adequately. The quality of information protection afforded by cryptography depends not only on the selected technical means, but also on good managerial, organisational and operational procedures.

[62] (2) VOLUNTARY CHOICE OF CRYPTOGRAPHIC METHODS

SECRETARIAT NOTE: There were many conflicting comments received about the wording for this title The conflict cantered around the choice between the words “VOLUNTARY” and “FREE”. Upon review of the dictionary definitions. “VOLUNTARY” seems the better choice.

[63] USERS SHOULD HAVE A RIGHT TO CHOOSE ANY CRYPTOGRAPHIC METHOD TO PROTECT DATA.

SECRETARIAT NOTE: Several delegations requested that a reference to “subject to lawful constraints”. “consistent with the Lawful Access Principle” or “within a national legal framework” be included in the wording of the main statement of this Principle. This problem,. relates to the greater questions of how to deal with the issue of integrating the Principles, as well as whether to refer to national sovereignty or lawful access within the text. It should be unnecessary to refer to lawful constraints/national sovereignty or to include the wording “consistent with.. [another Principle] “ within the text of individual Principles if:

1. a strong statement of national sovereignty is made in the beginning of the document and applied to the entire document: and

2. the issue of precedence, or ranking of Principles. is addressed clearly in the “Integration” section or elsewhere, and applied to the entire document.

Both of these elements are present in the current draft. This draft does not include references to lawful constraints/national sovereignty in the main statement of each Principle. However, such references are included in bracketed text at appropriate places within the explanatory text.