INFOSEC Business Advisory Group (IBAG) STATEMENT

December, 1995

Commercial Use of Cryptography

The INFOSEC Business Advisory Group (IBAG) published a statement on the Commercial Use of Cryptography some 2 years ago. The approach taken in that statement, and the business need for the international availability of adequately strong cryptography remains true today. However, some progress has been made in articulating ways in which the legitimate needs of the players can be met.

Further, Eurobit, ITI and JEIDA presented a document to the G7 Meeting in Brussels on February 25/26 1995 that provided Industry Recommendations for joint Government/Industry activity in 6 areas to ensure successful exploitation of the opportunities presented by the Global Information Society. One of those 6 areas was that of Privacy and Trust in the Global Information Society, and a key element of the recommendations in that area was a need to resolve the current unsatisfactory, to Industry, situation on the availability of cryptographic mechanisms internationally.

This paper does not repeat the general summary and background of these earlier documents. It does take note of those Principles being developed by the Quadripartite Group - Eurobit, ITI, JEIDA and ITAC - but focuses on the needs of business. IBAG believes that these Principles can form the basis of more detailed agreement on the provision internationally of cryptographic mechanisms of adequate strength for use by business.


1. Governments, businesses and individuals each have the right and responsibility to determine the level of protection needed for their specific information, and to choose adequately strong encryption methods to achieve those levels of protection, including type of algorithm used, key length, method of implementation, etc.

2. At least the same rights and safeguards concerning confidentiality and integrity of information shall apply to information created and communicated electronically as currently applies to paper based information.

3. Except as qualified below, businesses and individuals have the right to seek confidentiality of information they send, receive or retain.

4. Businesses and individuals have the right to ensure that information sent, received or retained is not subject to undetected change or modification.

5. Businesses and individuals have the right to be able, where necessary, to prove the source of information, to establish the ownership of information and to obtain unequivocal confirmation of the receipt of information.

6. Principle 3 notwithstanding, law-abiding governments have the right, in the prevention, investigation and prosecution of serious crime, lawfully to intercept and lawfully to seize information for evidential purposes only, where there is no practical alternative.

7. Businesses and individuals may lodge keys relating to their cryptographic systems, using agreed standard mechanisms, with a Trusted Party, where that Trusted Party can be an independently accredited body or a suitably accredited authority within their own organisation. Multinational businesses shall be able to hold their own keys in one place within their international organisation.

8. Businesses and individuals shall have right of access to such keys on proof of ownership.

9. Governments and Law Enforcement Agencies should have right of access to such keys only under due process of law in pursuance of their duties as described in Principle 6. It is the responsibility of governments to ensure that international law or inter-governmental agreements allow such access to keys held outside national jurisdiction.

10. Where Governments and Law Enforcement Agencies do obtain keys under such processes, they must only be available for a specified, limited timeframe and the process of obtaining and using the keys must be auditable.

11. Where Trusted Third Party agents hold keys on behalf of businesses and individuals, they must accept liability for any direct or consequential loss or damage resulting from misuse or unauthorised disclosure of those keys.

12. Governments, businesses and individuals must work together to define the requirements for standards that enable these Principles to be implemented, involving other bodies such as regulators and auditors as necessary.

13. The IT industry, in consultation with business and other appropriate bodies, should develop voluntary, consensus, international standards that take into account the requirements established through Principle 12 above. These standards must include variants suitable for all types of business and private use. They must also allow businesses and individuals to conform to national and international laws and regulations, including those on personal privacy and data protection. These standards must include independent procedures for verifying that products conform.

14. These standards, and the mechanisms implementing them, must be published and unclassified, so that their effectiveness can be open to public scrutiny. Any patented mechanisms must be available under fair and reasonable conditions on a non-discriminatory basis.

15. Businesses developing or using products conforming to such standards must have the right to make technical and economic choices about modes of implementation and operation, including the choice between implementation in hardware or software, type of algorithm used, and key length.

16. Governments have a duty to inspire confidence in such standards, once available, for all purposes other than the most sensitive diplomatic and defence purposes.

17. Cryptographic products that conform to the agreed standards should not be subject to import controls, restrictions on use within the law, or restrictive licensing; furthermore, these products should be exportable to all countries except those which are subject to UN embargo.

See later IBAG statement.

See related OECD press release.