Interesting People mailing list archives
IP: Baker (endlessly) on the OECD Guidelines
From: David Farber <farber () cis upenn edu>
Date: Thu, 27 Mar 1997 20:51:28 -0500
Date: Thu, 27 Mar 97 20:14:47 EST From: "Stewart Baker" <sbaker () mail steptoe com> To: farber () cis upenn edu Subject: Baker (endless ly) on the OECD Guidelines Dave: I have done a legal analysis of the OECD Guidelines that tries to unpack them in detail and to get beyond the spin doctor approach that has dominated press discussions of the Guidelines so far. It's an apparently endless (actually 20 pages singlespaced) document on my firm's web page: http://www.steptoe.com/pubtoc.htm. For those who can't resist the spin, though, I attach a portion of my analysis of the "lawful access" principle. Stewart Baker Excerpt: This principle was the centerpiece of the OECD talks. The principal reason that the United States asked for a cryptography experts' group was to highlight the threat that unrestricted cryptography poses to law enforcement agencies and to their ability to gain access to evidence of crimes. Without some recognition that the need for lawful access is a major factor in cryptography policy, the U.S., France, and the UK would not have had much reason to endorse the Guidelines. It remains, however, a controversial proposal, especially among countries that do not plan to encourage key-recovery systems at home. It is therefore limited in many significant respects. For example, this is the only principle that does not make a recommendation to governments. This principle does not say that members should adopt lawful access regimes, only that they "may" do so. Similarly, no other principle is qualified by an entire sentence intended to restrict its scope: the lawful access policies of governments, the principle declares, "must respect the other principles to the greatest extent possible." This is also the only place in the principles themselves where the verb "must" is used, a remarkable deviation from the normal OECD practice of never issuing mandates to its member nations. The most reasonable reading of this second sentence is that it deliberately subordinates the lawful access principle to the other seven principles. On that reading, the sentence supplements the integration section, which otherwise calls on governments to respect all of the principles in implementing lawful access proposals. Such a reading is also consistent with the explanatory text of principle 2, which pointedly states that any regulation of cryptography should respect user choice to the greatest extent possible. The explanatory text for this principle elaborates on the same theme. It notes -- in a particularly tortured passage -- that key management systems (presumably key-recovery systems that allow for access) "could provide a basis for possible solutions which could balance the interests of users and law enforcement authorities." This is hardly a resounding endorsement of systems that provide lawful access. To drive that point home, the explanatory text declares that the OECD's adoption of the lawful access principle "should not be interpreted as implying that governments should, or should not, initiate legislation that would allow lawful access."
Current thread:
- IP: Baker (endlessly) on the OECD Guidelines David Farber (Mar 27)