IP: Baker (endlessly) on the OECD Guidelines

[David Farber <farber () cis upenn edu>]

Date: Thu, 27 Mar 97 20:14:47 EST
From: "Stewart Baker" <sbaker () mail steptoe com>
To: farber () cis upenn edu
Subject: Baker (endless ly) on the OECD Guidelines


     
     Dave:
     
     I have done a legal analysis of the OECD Guidelines that tries to unpack 
     them in detail and to get beyond the spin doctor approach that has 
     dominated press discussions of the Guidelines so far.  It's an
apparently 
     endless (actually 20 pages singlespaced) document on my firm's web page:
     http://www.steptoe.com/pubtoc.htm.
     
     For those who can't resist the spin, though, I attach a portion of my 
     analysis of the "lawful access" principle.
     
     Stewart Baker
     
     Excerpt:
     
     This principle was the centerpiece of the OECD talks. The principal
reason 
     that the United States asked for a cryptography
     experts' group was to highlight the threat that unrestricted
cryptography 
     poses to law enforcement agencies and to their ability
     to gain access to evidence of crimes. Without some recognition that the 
     need for lawful access is a major factor in
     cryptography policy, the U.S., France, and the UK would not have had
much 
     reason to endorse the Guidelines. It remains,
     however, a controversial proposal, especially among countries that do
not 
     plan to encourage key-recovery systems at home. It
     is therefore limited in many significant respects. 
     
     For example, this is the only principle that does not make a
recommendation 
     to governments. This principle does not say that
     members should adopt lawful access regimes, only that they "may" do so. 
     
     Similarly, no other principle is qualified by an entire sentence
intended 
     to restrict its scope: the lawful access policies of
     governments, the principle declares, "must respect the other
principles to 
     the greatest extent possible." This is also the only
     place in the principles themselves where the verb "must" is used, a 
     remarkable deviation from the normal OECD practice of
     never issuing mandates to its member nations. The most reasonable
reading 
     of this second sentence is that it deliberately
     subordinates the lawful access principle to the other seven
principles. On 
     that reading, the sentence supplements the integration
     section, which otherwise calls on governments to respect all of the 
     principles in implementing lawful access proposals. Such a
     reading is also consistent with the explanatory text of principle 2,
which 
     pointedly states that any regulation of cryptography
     should respect user choice to the greatest extent possible. The
explanatory 
     text for this principle elaborates on the same theme.
     It notes -- in a particularly tortured passage -- that key management 
     systems (presumably key-recovery systems that allow for
     access) "could provide a basis for possible solutions which could
balance 
     the interests of users and law enforcement
     authorities." This is hardly a resounding endorsement of systems that 
     provide lawful access. To drive that point home, the
     explanatory text declares that the OECD's adoption of the lawful access 
     principle "should not be interpreted as implying that
     governments should, or should not, initiate legislation that would allow 
     lawful access."