[98] (7) LIABILITY

[99] THE LIABILITY OF INDIVIDUALS AND ENTITIES WHO HOLD OR ACCESS CRYPTOGRAPHIC KEYS, WHETHER ESTABLISHED BY CONTRACT OR LEGISLATION, SHOULD BE CLEARLY STATED.

SECRETARIAT NOTE: All references to liability for access to “data” or “plaintext of encrypted data” have been removed from the text of this Principle in the current draft. Prior versions of this Principle, as well as the discussion at the June meeting, focused on “keys”. The concept of liability for holding or accessing plaintext was introduced in the 15 July draft. Upon further review, it seems that the addition of the references to “plaintext” or “data” moved away from the original intent of the Principle.

The rules of liability for access to plaintext do not change with the presence of encryption, and thus the issue here is liability for “keys”. That is, if an entity holds or has access ta “cryptographic keys”, then its liability must be clearly stated. However, if an entity holds or accesses data or plaintext to encrypted data without accessing keys, it may or may not be liable, but its liability is governed by other law and it falls outside the scope of these Guidelines.

[100] The liability of any individual or entity, including a government entity, which holds cryptographic keys on behalf of another, or which gains access to cryptographic keys of another should be made clear, by contract and, where appropriate, by national legislation or international agreement. The liability of users for misuse of their own keys should also be made clear.

SECRETARIAT NOTE: This paragraph has been reworded to follow with the changes made to the main statement of the Principle. above. The “Liability” Principle could cover liability for the use or misuse of authentication keys as well as keys for confidentiality of data when keys are held or accessed, including perhaps misuse by the “owner” or “user” of the key. The text has been modified to cover these notions: the removal of all references to “to encrypted data” helps to make this Principle applicable to liability for cryptography used for authentication and the new additional sentence makes the liability applicable to “owners” of keys.

Some delegations suggested that the words international agreement should be removed however. these words seem to be consistent with the concept of the Guidelines as a whole.

[101] Governments may legislate liability issues including provisions for criminal or civil liability for improper release of cryptographic keys, or non-contractual protection from liability.

SECRETARIAT NOTE: This paragraph has been reworded to say “Governments may” rather than “Governments could”. Some delegations suggested that this paragraph is unnecessary and should be deleted.

[102] A keyholder should not be held liable for providing cryptographic keys or plaintext of encrypted data in accordance with lawful process.

[103] The party who obtains lawful access should be liable for misuse of cryptographic keys that it has obtained.

[104] (8) INTERNATIONAL COOPERATION

[105] HAVING REGARD TO THE CLEAR AND URGENT NEED FOR INTERNATIONAL COOPERATION IN ALL ASPECTS OF CRYPTOGRAPHY POLICY, GOVERNMENTS SHOULD WORK TOGETHER TO HARMONISE POLICIES TO THE GREATEST EXTENT POSSIBLE.

[106] These Guidelines on international cryptography policy should be used for national policy formulation and in preparing national regulations.

[107] In order to promote the broad international acceptance of cryptography and enable the full potential of the GII/GIS, cryptography policies adopted by a country should harmonise with similar policies of other countries.

[108] Aspects of cryptography policy which should be harmonised at the international level include regulation and certification of keyholders or key management systems, conditions of lawful access, and government controls or regulations placed on cryptographic methods, including their export.

SECRETARIAT NOTE: One delegation suggested this paragraph is unnecessary and unobtainable.

end of document