library Email this page members only
about uscib global network what's new
    Search      
Home Policy Advocacy: USCIB Committees and Working Groups Dispute Resolution: USCIB and ICC Arbitration Calendar of Events: USCIB and Partner Events Trade Services: USCIB Services to Facilitate U.S. Exports/Imports ATA Carnet: USCIB's Duty-Free and Tax-Free Temporary Exports/Imports
USCIB

Positions & Statements
contact us
membership info
membership info

Positions & Statements

 

STATEMENT OF THE U.S. COUNCIL ON

THE OECD GUIDELINES ON CRYPTOGRAPHY

 

November 1997

 

The United States Council for International Business (USCIB),  has  actively participated in the negotiation of the OECD Guidelines for Cryptography Policy (Guidelines), finalized at the March 27 meeting of the OECD Council.  USCIB believes that there is useful language in the Guidelines that can support and promote the essential role of the private sector in building, maintaining and operating electronic networks.  However, many of our members have expressed deep concern that the language in five provisions of the Guidelines can be read to be inimical to the needs of the market and the growth of electronic commerce.  It is essential that the Guidelines be interpreted and implemented in ways that  are driven by market needs.

 

USCIB members devoted considerable time and effort to the development of guidelines that meet the needs of business, users and governments.  As the American member organization of the Business and Industry Advisory Committee (BIAC) to the OECD, USCIB actively participated in the OECD Ad Hoc Group of Experts on Cryptography Policy and in the Group of Experts on Security, Privacy and Intellectual Property in the Global Information Infrastructure / Global Information Society (GII/GIS).  Despite our active participation and advocacy, some important suggestions and comments of the USCIB were not reflected in the Guidelines.

 

The USCIB singled out the following provisions of the Guidelines as being particularly supportive of international business objectives:

 

•  Market Driven Development of Cryptographic Methods:  A market driven environment will promote cost effective, interoperable, portable and mobile cryptographic methods and will ensure that solutions keep pace with technological change and the needs of users.

 

•  Lawful Access:  The business community understands that there are legitimate law enforcement reasons for lawful access to the plain text of encrypted data.. The Guidelines propose certain measures meant to prevent misuse of that access and establish procedures to develop accountability. (Discussion of problem areas in Lawful Access on page 2).

 

•  Liability:  Clear rules establishing liability, through contract, or where necessary through national legislation, will create the predictability needed to foster further investment in and use of the Global Information Infrastructure.

 

·         International Cooperation:  This important principle will promote the international availability and use of cryptographic methods, as well as prevent governments from creating unjustified obstacles to Global electronic commerce and international trade.

·         Choice:   The business community supports the rights of users to freely choose from the variety

of cryptographic methods available to meet their specific needs and data security requirements.  (Discussion of problem areas in Choice below)

 

On the other hand, the language of the explanatory texts of the following five provisions of the Guidelines  can be interpreted to be  harmful to the interests of U.S. business and the development of the GII:

 

•  Standards: Industry has provided leadership in information technology because it has successfully and efficiently met the demands of the global market.  The ambiguous language of this principle could jeopardize this approach because it does not acknowledge the primacy of market forces in developing standards.  Market driven development of standards enables companies to develop standards that become world standards.  Nor does the principle recognize the importance of the voluntary, consensus‑based, international, industry driven standards-making process.  The principle could also create a national government market barrier that would prove costly and damaging to public and private needs. While a role exists for national governments to assist in developing market-based standards, enlarging that role will likely impede the goal of achieving interoperable standards.

 

•  Trust: Trust in cryptographic methods is best developed by market forces. The text of the Guidelines does not recognize the primacy of market forces in building trust. Many USCIB members are concerned that the text could serve to justify the kind of system that would provide for government regulation or licensing of cryptographic products or services without allowing market forces and industry developed approaches to enhance user trust.

 

• Lawful Access: Certain references to key management systems could have a harmful effect on the market-driven development of the GII because they could be interpreted to violate the OECD concept of technology neutrality if read to favor key management systems as the solution that balances the interests of users and law enforcement authorities. Certain ambiguous language could also be used to rationalize a system that would demand the storage of keys and encrypted information as well as the storage of the corresponding plain text, placing an unnecessarily onerous storage and record keeping burden on business. Depending on the  perspective of the reader, there may be ambiguity in the language relating to lawful access to certain types or uses of keys.  For example, the USCIB sees no reason why keys that provide for identity or integrity purposes must be required to be made available.

 

• Choice:  We are disappointed with what we consider to be the unnecessary emphasis on applicable law in the Choice Principle given that the Guidelines, in their entirety, are made subject to applicable law elsewhere in the text.

 

•  Privacy: The business community supports the  OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data and believes that they should remain the defining principles of privacy interests.  Language used in the privacy principle of the Cryptography Guidelines could put users and vendors in the position of having to resolve conflicts between national cryptography policies and the Privacy Guidelines.

 

{Given these issues, the USCIB welcomes the U.S. Government's interpretive statement, delivered at the March 27 OECD Council meeting, at which the Guidelines were finalized.  This statement went a long way toward developing a market-based approach to the GII and, contained excellent language on four of the five principles highlighted above. The USCIB looks forward to working constructively with the U.S. Government on these issues.  }

 

OR

 

{Given these issues, the USCIB was disappointed by the U.S. Government's decision not to formally register with the OECD an interpretive statement of these principles that support the concerns of the private sector. The USCIB will continue to work constructively with the U.S. Government on these issues. }    

 

 

# # #

 

 

 

 




ALL RIGHTS RESERVED 2013 | PRIVACY POLICY STATEMENT | CONTACT US