International Working Group on Data Protection in Telecommunications:
COMMON STATEMENT ON CRYPTOGRAPHY
12 September 1997
(The French Members of the Working Group did not participate in the adoption of this Statement. The UK Data Protection Registrar has reservations vis-á-vis this statement.)
The protection of privacy and personal correspondence against
arbitrary intrusions is a human right (Art.12 Universal Declaration
of Human Rights; Art.17 International Covenant on Civil and Political
Rights; Art.8 European Convention on Human Rights). In the Information
Society where communication takes place mainly via telecommunications
facilities this means that everybody has a right to have his electronically
transmitted messages treated confidentially and that no unauthorised
person can intercept their contents.
Following a proposal of the International Working Group on Telecommunications
and Media the 7th International Conference of Data Protection
and Privacy Commissioners has pointed out in a resolution at its
session in Luxembourg on 26 September 1985, that integration and
digitalisation increase the danger of unauthorised recording and
evaluating of transmitted information. The 11th International
Conference of Data Protection and Privacy Commissioners at its
session on 30 August 1989 in Berlin has called for data security
facilities to be offered against unauthorised access, manipulation,
interception and for guaranteeing the authenticity of the sender
on the highest technical level and at acceptable costs.
The only measure meeting these demands is the encryption of messages.
The offer of sufficient encryption methods for the users of telecommunications
services is therefore essential for guaranteeing privacy. It is
also a key element of privacy-enhancing technologies. With respect
to mobile communications the 12th International Conference of
Data Protection and Privacy Commissioners at its session on 19
September 1990 in Paris called for network operators to be obliged
to offer subscribers to mobile telephone networks effective encryption
procedures. The offer of end-to-end encryption facilities has
been a key demand of Data Protection Commissioners when discussing
the Draft European Telecommunications Directive (cf. Art.4 of
the Common Position).
The International Working Group on Data Protection in Telecommunications
confirms its demand that for guaranteeing confidentiality users
of electronic telecommunications services should have the opportunity
to encrypt their messages on a level of their own free choice.
The prohibition of encrypting messages that is being discussed
in some countries goes against this principle. It would not only
hinder citizens in looking after their human right to unobservable
communications, but also foster the abuse of telecommunications
for illegal purposes. It could be bypassed at any time
by those having the technical and financial means, so that a prohibition
would only affect unsuspecting citizens.
A restriction of encryption facilities e.g. by licensing the necessary
software could have the same effect. It is for the reasons mentioned
above in particular not suitable to fight organised crime.
The International Working Group on Data Protection in Telecommunications
understands the demands of law enforcement agencies to have access
to encrypted messages for purposes of preserving public security
and criminal prosecution. The 14th International Conference of
Data Protection and Privacy Commissioners on 29 October 1992 in
Sydney has welcomed a report by the Working Group on the access
of law enforcement agencies to telecommunications contents.
The Conference agreed that the technical and legal development
in the field of telecommunications secrecy had to be monitored
closely to protect the privacy of the individual against excessive
surveillance.
The Working Group doubts that any regulation of encryption facilities
for the purposes of law enforcement agencies can contribute adequately
to fighting serious crimes. An intrusion on telecommunications
secrecy for fighting less serious offences would be excessive
anyway. All the measures that have been discussed (licensing of
software, regulation of import and export, deposit of keys, hardware
back-doors like the "clipper-chip") would lead to a
weaker protection, as these solutions could also be used illegally.
The enforcement of legal requirements only to use certain licensed
keys would reverse the relationship between confidentiality as
a rule and lawful access as an exception. Since legal requirements
in this field can easily be bypassed (e.g. by using hidden codes)
this would amount to excessive and in the end futile surveillance
of the individual.There is therefore a difference between interference
with traditional forms of correspondence and with electronic communications:
Interference with the former may be legal if it "... is necessary
in a democratic society ... for the prevention of disorder or crime ..."
(Art.8 para.2 European Convention on Human Rights); interference
with the latter for the purpose of enforcing limitations of the
use of cryptographic methods could lead to the abandonment of
confidential electronic communications altogether.
The International Working Group on Data Protection in Telecommunications
welcomes the OECD Guidelines for Cryptography Policy of 27 March
1997 as well as the Ministerial Declaration of the European
Ministerial Conference (Bonn, 6-8 July 1997) which stress the
importance of trustworthy cryptographic methods in order to generate
user confidence in reliable information and communications systems.
The OECD Guidelines also underline the principle that free user
choice of cryptographic methods should not be limited by new legislation
(Principle 2 of the OECD Guidelines). National policies allowing
for lawful access must respect this principle to the greatest
extent possible (Principle 6). The Working Group attaches particular
importance to the privacy implications raised by cryptographic
methods being used to ensure the integrity of data in electronic
transactions (Principle 5). The collection of personal data and
the creation of systems for personal identification in connection
with the use of these methods require special privacy safeguards
to be established.
|