1. Private Sector Requirements. The private sector requires effective encryption for information security, including confidentiality, authenticity, and integrity of information in electronic form.

Because the Internet is not designed to provide centralized information security, individuals and companies bear the responsibility for securing and verifying information sent or received over open networks.

2. Immediate Business Needs. Business has an immediate need for security. These industry segments, among others, include:

· Internet Business Communications
· Financial Transactions
· Intranets for the internal communications of multinational enterprises
· Transactions with governments
· Private medical information services.

Businesses require the use of encryption technology strong enough to protect themselves against the level of the threat.

3. Standards. Agreement on international encryption standards is desirable given the demand for globally inter-operable encryption systems.

Standards setting shall be industry-led, consistent with conventional standards setting procedures.

Standards shall be made public.

Standards shall allow for self-certification.

Participation in the standards process and use of any product resulting from that standard shall be voluntary.

4. Government Access Requirements. Governments have a right to access certain private communications when authorized to do so by law.

5. International Cooperation. International cooperation among governments aimed at the harmonization of national policies is essential.

To ensure that government policies reflect market realities, governments must include private sector representatives in the development of policy at the international level.

6. Trade. Government policies on information security and encryption should be non-discriminatory, offer national treatment to foreign companies, and not serve as non-tariff barriers to trade.

Governments must not restrict the import of encryption products.

Governments must not restrict domestic use of foreign encryption products.

Government policy on encryption exports must acknowledge that encryption has predominately civil, not military, applications.

Any export controls on encryption must be undertaken on the basis of an international, market driven consensus as to what encryption products will be controlled and an international commitment to enforcement.

Any export controls, including license requirements, shall take into account:
(a) the foreign availability of comparable encryption products, with no controls imposed on products available from a supplier in a country which has not agreed to control exports;
(b) the identity of the end-user, with minimal controls imposed on exports of strong encryption to all reliable and legitimate commercial end-users;
(c) the rapid pace of technological developments, including in the field of decryption, which weighs against the imposition of technology control levels.

7. Key Management Practices. The decision of whether to escrow an encryption key with a key escrow agent or trusted third party (TTP) rests with the user.

Key management practices shall be determined by agreement between the user and the user's chosen key escrow agent(s).

Government policy must not mandate the use of key escrow encryption products nor mandate the escrow of encryption keys with a government agency. Government regulation of the key escrow industry should reflect the following principles:

(a) no distinction should be made between hardware or software implementation of key escrow;
(b) users must be given free choice in key management, including the right to escrow keys within the company or outside the company with one or more private escrow agents in one or more countries; and,
(c) an escrow agent's disclosure of an encryption key to the government should occur only pursuant to lawful authorization.

8. Liability. Liability for key management should be determined by private law, such as the contract between vendor and customer. No liability should arise for compliance in good faith with government requests supported by a court order for encryption keys or decryption assistance.

9. Legal Framework. Government information security policies should not have the effect of diminishing legal protections available to individuals under existing law. To the maximum extent possible, government information security policies should be made within existing legal frameworks because the enactment of new laws can inject uncertainty into the marketplace and have unintended consequences. Protection for privacy should be at least as strong as under telecommunications law.

10. Transparency. To the maximum extent possible, information security policy making at the national and international level should be open to the public.

Note to users: All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.
1996 GIP (Global Internet Project) All rights reserved.