OECD GUIDELINES FOR CRYPTOGRAPHY
POLICY:
RECOMMENDATION OF THE COUNCIL
CONCERNING GUIDELINES FOR
CRYPTOGRAPHY POLICY
March 27, 1997
THE COUNCIL,
HAVING REGARD TO:
-
the Convention on the Organisation for Economic Co-operation
and Development of 14 December 1960, in particular, articles 1 b), 1 c),
3 a) and 5 b) thereof;
-
the Recommendation of the Council concerning Guidelines Governing
the Protection of Privacy and Transborder Flows of Personal Data of 23
September 1980 [C(80)58(Final)];
-
the Declaration on Transborder Data Flows adopted by the
Governments of OECD Member countries on 11 April 1985 [Annex to C(85)139];
-
the Recommendation of the Council concerning Guidelines for
the Security of Information Systems of 26-27 November 1992 [C(92)188/FINAL];
-
the Directive [95/46/EC] of the European Parliament and of
the Council of the European Union of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the
free movement of such data;
-
the Wassenaar Arrangement on Export Controls for Conventional
Arms and Dual-use Goods and Technologies agreed on 13 July 1996;
-
the Regulation [(EC) 3381/94] and the Decision [94/942/PESC]
of the Council of the European Union of 19 December 1994 concerning the
control of the export of dual-use goods;
-
and the Recommendation [R(95)13] of the Council of Europe
of 11 September 1995 concerning problems of criminal procedural law connected
with information technology;
CONSIDERING:
-
that national and global information infrastructures are
developing rapidly to provide a seamless network for world-wide communications
and access to data;
-
that this emerging information and communications network
is likely to have an important impact on economic development and world
trade;
-
that the users of information technology must have trust
in the security of information and communications infrastructures, networks
and systems; in the confidentiality, integrity, and availability of data
on them; and in the ability to prove the origin and receipt of data;
-
that data is increasingly vulnerable to sophisticated threats
to its security, and ensuring the security of data through legal, procedural
and technical means is fundamentally important in order for national and
international information infrastructures to reach their full potential;
RECOGNISING:
-
that, as cryptography can be an effective tool for the secure
use of information technology by ensuring confidentiality, integrity and
availability of data and by providing authentication and non-repudiation
mechanisms for that data, it is an important component of secure information
and communications networks and systems;
-
that cryptography has a variety of applications related to
the protection of privacy, intellectual property, business and financial
information, public safety and national security, and the operation of
electronic commerce, including secure anonymous payments and transactions;
-
that the failure to utilise cryptographic methods can adversely
affect the protection of privacy, intellectual property, business and financial
information, public safety and national security and the operation of electronic
commerce because data and communications may be inadequately protected
from unauthorised access, alteration, and improper use, and, therefore,
users may not trust information and communications systems, networks and
infrastructures;
-
that the use of cryptography to ensure integrity of data,
including authentication and non-repudiation mechanisms, is distinct from
its use to ensure confidentiality of data, and that each of these uses
presents different issues;
-
that the quality of information protection afforded by cryptography
depends not only on the selected technical means, but also on good managerial,
organisational and operational procedures;
AND FURTHER RECOGNISING:
-
that governments have wide-ranging responsibilities, several
of which are specifically implicated in the use of cryptography, including
protection of privacy and facilitating information and communications systems
security; encouraging economic well-being by, in part, promoting commerce;
maintaining public safety; and enabling the enforcement of laws and the
protection of national security;
-
that although there are legitimate governmental, commercial
and individual needs and uses for cryptography, it may also be used by
individuals or entities for illegal activities, which can affect public
safety, national security, the enforcement of laws, business interests,
consumer interests or privacy; therefore governments, together with industry
and the general public, are challenged to develop balanced policies;
-
that due to the inherently global nature of information and
communications networks, implementation of incompatible national policies
will not meet the needs of individuals, business and governments and may
create obstacles to economic co-operation and development; and, therefore,
national policies may require international co-ordination;
-
that this Recommendation of the Council does not affect the
sovereign rights of national governments and that the Guidelines contained
in the Annex to this Recommendation are always subject to the requirements
of national law;
On the proposal of the Committee for Information, Computer
and Communications Policy;
RECOMMENDS THAT MEMBER COUNTRIES:
-
establish new, or amend existing, policies, methods, measures,
practices and procedures to reflect and take into account the Principles
concerning cryptography policy set forth in the Guidelines contained in
the Annex to this Recommendation (hereinafter "the Guidelines"), which
is an integral part hereof; in so doing, also take into account the Recommendation
of the Council concerning Guidelines Governing the Protection of Privacy
and Transborder Flows of Personal Data of 23 September 1980 [C(80)58(Final)]
and the Recommendation of the Council concerning Guidelines for the Security
of Information Systems of 26-27 November 1992 [C(92)188/FINAL];
-
consult, co-ordinate and co-operate at the national and international
level in the implementation of the Guidelines;
-
act on the need for practical and operational solutions in
the area of international cryptography policy by using the Guidelines as
a basis for agreements on specific issues related to international cryptography
policy;
-
disseminate the Guidelines throughout the public and private
sectors to promote awareness of the issues and policies related to cryptography;
-
remove, or avoid creating in the name of cryptography policy,
unjustified obstacles to international trade and the development of information
and communications networks;
-
state clearly and make publicly available, any national controls
imposed by governments relating to the use of cryptography;
-
review the Guidelines at least every five years, with a view
to improving international co-operation on issues relating to cryptography
policy.
Go to ... CCIPS Home Page
|| Justice Department Home Page
Last updated 05/08/00
usdoj-crm/mis/mdf