Walsh Report - Annexes

ANNEX A

TERMS OF REFERENCE

The Review is to examine whether legislative or other action should be taken to safeguard national security and law enforcement interests in the light of the rapid development of the global information infrastructure and the continuing need to safeguard individual privacy.

2. The objective of the review will be to present options for encryption policies and legislation which adequately address national security, law enforcement and privacy needs while taking account of policy options being developed to address commercial needs.

3. Key factors to be addressed include:

(a)

Australia's national security and defence interests;

(b)

an assessment of the present state on encryption technologies and prospective developments in encryption technology over the next few years likely to impact on Australia's national security and law enforcement interests;

(c)

whether Australia's present laws are adequate to ensure Australia's national security and law enforcement interests in an environment of rapidly emerging technologies;

(d)

measures to safeguard individual privacy including an examination of the warranting provisions that may be required to enable law enforcement and national security authorities to gain access to encrypted material, whether in the form of stored data or a message transmitted over a telecommunications network;

(e)

an assessment and evidence of the benefits of access by law enforcement and national agencies to encrypted data;

(f)

an assessment of the most appropriate means of funding the development, implementation and maintenance of a decrypting capability for existing and emerging technologies;

(g)

whether Australia should seek to negotiate agreements with any other country or countries governing access to encrypted data where public keys (under a 'commercial key escrow' or 'trusted third party' system of encryption) are held outside Australia;

(h)

whether legislation is desirable to:

(i): regulate the availability of 'commercial key escrow' or 'trusted third party' encryption;
(ii): facilitate the development of 'commercial key escrow' or 'trusted third party' encryption;

(i)

the impact of overseas initiatives associated with encryption technology, particularly in relation to the extent to which international cooperation and proactive specification of desirable characteristics for encryption products and 'commercial key escrow' or 'trusted third party' services is desirable and recommendations as to how such international cooperation best be achieved; the effectiveness of Australia's export controls on encryption technology.

4. The review is to have regard to the Government's existing encryption policies, the work of the OECD Committee of Experts on Security, Privacy and Intellectual Property Protection in the global information infastructure on the development of international crypography guidelines and the work of the Information Policy Task Force on the implementation of open encryption standards which address commercial needs.

ANNEX B

Extract from AUSTRALIA ONLINE,
statement on media issues
published by the Coalition Parties
prior to the 1996 federal election.

Personal Privacy and Commercial Security

New information technology has the capacity to generate a torrent of information on the preferences, lifestyles and financial details of all Australians.

Labor's consistent neglect of the issue of personal privacy is shown in its attempted introduction of the Australia Care, its consistent advocacy of large- scale "dataveillance" of citizens, and its creeping expansion of the use of the tax file number in stark contrast to Mr Keating's own solemn assurances to the Parliament. To quote a recent senior Labor Minister, "privacy is a bourgeois right, related to the concept of private property".

Such an ethos makes a mockery of Labor's "commitment" to genuine information privacy safeguards. In contrast, the Coalition regards personal privacy as a cherished right in a free society.

Whilst the implementation of the principle of informed consent provides citizens with some defence, widespread trading of information and the power of new technology to collate previously unrelated pieces of information will enable the construction of highly revealing profiles on individuals. Often this can be done without individuals knowing that these profiles even exist.

The Coalition accepts that organisations have the right to certain information about their clients, provided this information is used for the purpose for which it is originally offered. However, the Coalition is opposed to such information being used for purposes for which it was not intended, unless the consent of the individual is obtained.

With the development of extensive electronic commerce networks, this issue has a commercial security dimension as well. Encryption technology is essential to electronic commerce. Transactions will not be initiated unless people are confident that personal and financial information is protected from unauthorised interception. Heavy-handed attempts to ban strong encryption techniques will compromise commercial security, discouraging online service industries (particularly in the financial sector) from adopting Australia as a domicile. This would result in a substantial economic loss to the country.

An inquiry into the extent of information gathering in the public and private sectors, current administrative and regulatory regimes for protection of privacy, and the need for reform will be launched by the Coalition.

This inquiry will present arguments and options to a Coalition Government on privacy policies which will strike a balance between the legitimate interests of public and commercial organisations on the one hand, and the legitimate rights of individuals on the other.

The IPTF will also be required to present options for the implementation of open encryption standards which address commercial needs. The recently released European Union Privacy Directive, which regulates trans-national data flows, has made it imperative that Australia's privacy legislation is updated before our access to overseas information resources is curtailed.

The results of these inquiries will provide input to the deliberations of the Online Government Council on the issues of privacy. In particular, the merits of a national Privacy Code of Practice, binding both public and private sectors will be considered by the Council.

The requirements of security agencies to monitor network traffic are a particularly difficult problem. The rights of private individuals to encrypt messages and commercial transactions have been the subject of heated debate in the United States. ]be Coalition, with its strong pro-privacy bias, takes the view that the onus is on security agencies to demonstrate that the benefits of mandating "crackable" codes (as has been attempted in the USA with the "Clipper" chip technology) outweigh the social and economic consequences of the loss of personal privacy and commercial security that this would entail.

[extract of pages 15.1-16.2. Emphasis
shown as in original statement.]

ANNEX C

ADMINISTRATION STATEMENT ON COMMERCIAL ENCRYPTION POLICY
July 12, 1996

The Clinton Administration is proposing a framework that will encourage the use of strong encryption in commerce and private communications while protecting the public safety and national security. It would be developed by industry and will be available for both domestic and international use.

The framework will permit U.S. industry to take advantage of advances in technology pioneered in this country, and to compete effectively in the rapidly changing international marketplace of communications, computer networks, and software. Retaining U.S. industry's leadership in the global information technology market is of longstanding importance to the Clinton Administration.

The framework will ensure that everyone who communicates or stores information electronically can protect his or her privacy from prying eyes and ears as well as against theft of, or tampering with, their data. The framework is voluntary; any American will remain free to use any encryption system domestically.

The framework is based on a global key management infrastructure that supports digital signatures and confidentiality. Trusted private sector parties will verify digital signatures and also will hold spare keys to confidential data. Those keys could be obtained only by persons or entities that have lost the key to their own encrypted data, or by law enforcement officials acting under proper authority. It represents a flexible approach to expanding the use of strong encryption in the private sector.

This framework will encourage commerce both here and abroad. It is similar to the approach other countries are taking, and will permit nations to establish an internationally inter-operable key management infrastructure with rules for access appropriate to each country's needs and consistent with law enforcement agreements. Administration officials are currently working with other nations to develop the framework for that infrastructure.

In the expectation of industry action to develop this framework internationally, and recognizing that this development will take time, the Administration intends to take action in the near term to facilitate the transition to the key management infrastructure.

The measures the Administration is considering include:

1. Liberalizing export controls for certain commercial encryption products.

2. Developing, in cooperation with industry, performance standards for key recovery systems and products that will be eligible for general export licenses, and technical standards for products the government will purchase.

3. Launching several key recovery pilot projects in cooperation with industry and involving international participation.

4. Transferring export control jurisdiction over encryption products for commercial use from the Department of State to the Department of Commerce.

Administration officials continue to discuss the details of these actions with experts from the communications equipment, computer hardware and software industries, civil liberties groups and other members of the public, to ensure that the final proposal balances industry actions towards the proposed framework, short-term liberalization initiatives, and public safety concerns.

The Administration does not support the bills pending in Congress that would decontrol the export of commercial encryption products because of their serious negative impact on national security and law enforcement. Immediate export decontrol by the U.S. could also adversely affect the security interests of our trading partners and lead them to control imports of U.S. commercial encryption products.

A Cabinet Committee continues to address the details of this proposal. The Committee intends to send detailed recommendations to the President by early September, including any recommendations for legislation and Executive Orders. The Committee comprises the Secretaries of State, Defense, Commerce and Treasury; the Attorney General; the Directors of Central Intelligence and the Federal Bureau of Investigation; and senior representatives from the Office of the Vice President, the Office of Management and Budget, and the National Economic Council.

ANNEX D

PAPER ON REGULATORY INTENT CONCERNING USE OF
ENCRYPTION ON PUBLIC NETWORKS

1. Summary

The Government recognises the importance of the development of the Global Information Infrastructure (GII) with respect to the continuing competitiveness of UK companies. Its aim is to facilitate the development of electronic commerce by the introduction of measures which recognise the growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks.

2. The policy, which has been decided upon after detailed discussion between Government Departments, involves the licensing and regulation of Trusted Third Parties (hereafter called TTPS) which will provide a range of information security services to their clients, whether they are corporate users or individual citizens. The provision of such information security services will be welcomed by IT users, and will considerably facilitate the establishment of, and industry's participation in, the GR, where trust in the security of communication has been acknowledged to be of paramount importance. The licensing policy will aim to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act.

3. The Government intends to bring forward proposals for legislation following consultation by the Department of Trade and Industry on detailed policy proposals.

2. Background

4. The increased use of IT systems by British business and commerce in the last decade has been a major factor in their improved competitive position in global markets. This reliance on IT systems has, however, brought with it increased security risks; especially concerning the integrity and confidentiality of information passed electronically between trading bodies. The use of encryption services on electronic networks can help solve some of these security problems. In particular TTPs will facilitate secure electronic communications either within a particular trading environment (eg between a bank and its customers) or between companies, especially smaller ones, that do not necessarily have any previous trading relationship.

5. In developing an encryption policy for the information society, we have also considered how the spread and availability of encryption technology will affect the ability of the authorities to continue to fight serious crime and terrorism. In developing policy in this area, the Government has been concerned to balance the commercial requirement for robust encryption services, with the need to protect users and for the intelligence and law enforcement authorities to retain the effectiveness of warranted interception under the Interception of Communications Act (1985).

6. Consideration by Government has also been given to the requirement for business to trade electronically throughout Europe and further afield. The inter-departmental discussions have therefore taken into account draft proposals by the European Commission, concerning information security (which include the promotion of TTPS), and discussions on similar issues taking place within the OECD.

3. The Government's Proposals

(a) Licensing

7. By their nature, TTPS, whatever services they may provide, will have to be trusted by their clients. Indeed in a global trading environment there will have to be trust of, and between, the various bodies fulfilling this function. To engender such trust, TTPs providing information security services to the general public will be licensed. The licensing regime would seek to ensure that organisations and bodies desiring to be TTPs will be fit for the purpose. The criteria could include fiduciary requirements (eg appropriate liability cover), competence of employees and adherence to quality management standards. TTPs would also be required to release to the authorities the encryption keys of their clients under similar safeguards to those which already exist. We would expect organisations with existing customers, such as banks, network operators and associations (trade or otherwise) to be prime candidates for TTPS.

8. The Government will consult with organisations such as financial services companies, who have made existing arrangements for the use and provision of encryption services, with the intention of avoiding any adverse effects on their competitiveness. It is not the intention of the government to regulate the private use of encryption. It will, however, ensure that organisations and bodies wishing to provide encryption services to the public will be appropriately licensed.

(b) Services Offered

9. The services which a TTP may provide for its customers will be a commercial decision. Typically, provision of authentication services may include the verification of a client's public key, time stamping of documents and digital signatures (which secure the integrity of documents). TTPs may also offer a service of key retrieval (typically for documents and files that have been encrypted by employees) in addition to facilitating the real time encryption of a client's communications.

10. Licensed TTPs operating within a common architectural framework, on a European or even a global basis, will be able to facilitate secure communications between potential business partners in different countries. Providing the respective clients trust their TTPS, secure electronic commerce between parties who have not met will become possible because they will have confidence in the security and integrity of their dealings.

11. It is envisaged that a common architectural framework will be needed to support the information security services being offered by TTPs in different countries. Clearly this will be a matter for negotiation between interested parties taking into account developments in international standards organisations. The architecture would need, however, to support both the provision of integrity and confidentiality and therefore be capable of verifying public encryption keys and escrowing private ones. There is no reason why it should not also support a choice of encryption algorithms, such as those on the ISO (International Standards Organisation) register.

12. In support of such an architectural framework we would envisage manufacturers developing software or hardware products for use by the business community. Such products will need to be consistent with whatever standard (or standards) are arrived at to enable TTPs to interoperate. The type of algorithm used for message encryption, and whether it is implemented in hardware or software, will be a matter of business choice.

(d) European Union

13. The Government is working closely with the European Commission on the development of encryption services through their work on information security. Arrangements concerning lawful interception and the regulation of TTPs in that context are matters for Member States to determine. However, the Commission has an important role in facilitating the establishment of an environment where developments in the use of TTPs can be fostered. The Commission should soon be in a position to bring forward a programme of work involving, for example, the piloting and testing of TTP networks.

(e) OECD

14. The Government are also participating in discussions at the OECD on encryption matters. Where possible we will encourage the development of networks of TTPs which facilitate secure electronic trading on a global basis.

(f) Export Controls

15. Export controls will remain in place for encryption products (whether in hardware or software form) and for digital encryption algorithms. However, to facilitate the participation of business and commerce in the information society the Government will take steps, with our EU partners, with a view to simplifying the export controls applicable to encryption products which are of use with licensed TTPS.

4. Consultation

16. Officials from the Department of Trade and Industry have already held preliminary discussions with various industry groups on the general concepts surrounding the provision of encryption services through TTPS. A more formal consultation on the Government's proposals will be undertaken by the Department of Trade and Industry with all interested parties prior to the bringing forward of legislative proposals. The Government recognises that the successful facilitation of electronic commerce through the introduction of information security services by TTPs either in the UK or in Europe, will, to a significant extent, depend on their widespread use across business. It will therefore be important to secure the broad acceptance of the business community for the Government's proposals. The Department will pay particular attention to this during the consultation process.

Department of Trade and Industry London

Last updated on Tuesday, 11 June 1996

ANNEX E

OECD Guidelines

Annex to the Recommendation of the Council of 23rd September 1980

GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA

PART ONE. GENERAL

Definitions

1.

For the purposes of these Guidelines:

a): "data controller" means a party who, according to domestic law, is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf;
b): "personal data" means any information relating to an identified or identifiable individual (data subject)
c): "transborder flows of personal data" means movements of personal data across national borders.

Scope of Guidelines

2.

These Guidelines apply to personal data, whether in the public or private sectors, which, because of the manner in which they are processed, or because of their nature or the context in which they are used, pose a danger to privacy and individual liberties.

3.

These Guidelines should not be interpreted as preventing:

a): the application, to different categories of personal data, of different protective measures depending upon their nature and the context in which they are collected, stored, processed or disseminated;
b): the exclusion from the application of the Guidelines of personal data which obviously do not contain any risk to privacy and individual liberties; or
c): the application of the Guidelines only to automatic processing of personal data.

4.

Exceptions to the Principles contained in Parts Two and Three of these Guidelines, including those relating to national sovereignty, national security and public policy ("order public"), should be:

a): as few as possible, and
b): made known to the public.

5.

In the particular case of Federal countries the observance of these Guidelines may be affected by the division of powers in the Federation.

6.

These Guidelines should be regarded as minimum standards which are capable of being supplemented by additional measures for the protection of privacy and individual liberties.

PART TWO
BASIC PRINCIPLES OF NATIONAL APPLICATION

Collection Limitation Principle

7.: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

8.: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

9.: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation Principle

10.

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 9 except:

a): with the consent of the data subject; or
b): by the authority of law.

Security Safeguards Principle

11.: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle

12.: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

13.

An individual should have the right:

a)

to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;

b)

to have communicated to him, data relating to him

i): within a reasonable time;
ii): at a charge, if any, if that is not excessive;
iii): in a reasonable manner; and
iv): in a form that is readily intelligible to him;

c)

to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

d)

to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Accountability Principle

14.: A data controller should be accountable for complying with measures which give effect to the principles stated above.

PART THREE
BASIC PRINCIPLES OF INTERNATIONAL APPLICATION:
FREE FLOW AND LEGITIMATE RESTRICTIONS

15.: Member countries should take into consideration the implications for other Member countries of domestic processing and re-export of personal data.
16.: Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.
17.: A Member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other Member country provides no equivalent protection.
18.: Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.

PART FOUR
NATIONAL IMPLEMENTATION

19.

In implementing domestically the principles set forth in Parts Two and Three, Member countries should establish legal, administrative or other procedures or institutions for the protection of privacy and individual liberties in respect of personal data. Member countries should in particular endeavour to:

a): adopt appropriate domestic legislation;
b): encourage and support self-regulation, whether in the form of codes of conduct or otherwise;
c): provide for reasonable means for individuals to exercise their rights;
d): provide for adequate sanctions and remedies in case of failures to comply with measures which implement the principles set forth in Parts Two and Three; and
e): ensure that there is no unfair discrimination against data subjects.

PART FIVE
INTERNATIONAL CO-OPERATION

20.

Member countries should, where requested, make known to other Member countries details of the observance of the principles set forth in these Guidelines. Member countries should also ensure that procedures for transborder flows of personal data and for the protection of privacy and individual liberties are simple and compatible with those of other Member countries which comply with these Guidelines.

21.

Member countries should establish procedures to facilitate:

a): information exchange related to these Guidelines, and
b): mutual assistance in the procedural and investigative matters involved.

22.

Member countries should work towards the development of principles, domestic and international, to govern the applicable law in the case of transborder flows of personal data.

ANNEX F

STATEMENT OF THE VICE-PRESIDENT OF THE
UNITED STATES ON ENCRYPTION
OCTOBER 1, 1996

President Clinton and I are committed to promoting the growth of electronic commerce and robust, secure communications worldwide while protecting the public safety and national security. To that end, this Administration is consulting with Congress, the information technology industry, state and local law enforcement officials, and foreign governments on a major initiative to liberalize export controls for commercial encryption products.

The Administration's initiative will make it easier for Americans to use stronger encryption products - - whether at home or abroad - - to protect their privacy, intellectual property and other valuable information. It will support the growth of electronic commerce, increase the security of the global information, and sustain the economic competitiveness of U.S. encryption product manufacturers during the transition to a key management infrastructure with key recovery.

Under this initiative, the export of 56-bit key length encryption products will be permitted under a general licence after one-time review, and contingent upon industry commitments to build and market future products that support key recovery. This policy will apply to hardware and software products. The relaxation of controls will last up to two years.

The Administration's initiative recognizes that an industry-led technology strategy will expedite market acceptance of key recovery, and that the ultimate solution must be market-driven.

Exporters of 56-bit DES or equivalent encryption products would make commitments to develop and sell products that support the key recovery system that I announced in July. That vision presumes that a trusted third party (in some cases internal to the user's organization) would recover the user's confidentiality key for the user or for law enforcement officials acting under proper authority. Access to keys would be provided in accordance with destination country policies and bilateral understandings. No key length limits or algorithm restrictions will apply to exported key recovery products.

Domestic use of key recovery will be voluntary, and any American will remain free to use any encryption system domestically.

The temporary relaxation of controls is one part of a broader encryption policy initiative designed to promote electronic information security and public safety. For export control purposes, commercial encryption products will no longer be treated as munitions. After consultation with Congress, jurisdiction for commercial encryption controls will be transferred from the State Department to the Commerce Department. The Administration also will seek legislation to facilitate commercial key recovery, including providing penalties for improper release of keys, and protecting key recovery agents against liability when they properly release a key.

As I announced in July, the Administration will continue to expand the purchase of key recovery products for U.S. government use, promote key recovery arrangements in bilateral and multilateral discussions, develop federal cryptographic and key recovery standards, and stimulate the development of innovative key recovery products and services.

Under the relaxation, six-month general export licenses will be issued after one-time review. contingent on commitments from exporters to explicit benchmarks and milestones for developing and incorporating key recovery features into their products and services, and for building the supporting infrastructure internationally. Initial approval will be contingent on firms providing a plan for implementing key recovery. The plan will explain in detail the steps the applicant will take to develop, produce, distribute, and/or market encryption products with key recovery features. The specific commitments will depend on the applicant's line of business.

The government will renew the licences for additional six-month periods if milestones are met. Two years from now, the export of 56-bit products that do not support key recovery will no longer be permitted. Currently exportable 40- bit mass market software products will continue to be exportable. We will continue to support financial institutions in their efforts to assure the recovery of encrypted financial information. Longer key lengths will continue to be approved for products dedicated to the support of financial applications.

The Administration will use a formal mechanism to provide industry, users, stand and local law enforcement, and other private sector representatives with the opportunity to advise on the future of key recovery. Topics will include:

-: evaluating the developing global key recovery architecture
-: assessing lessons learned from key recovery implementation
-: advising on technical confidence issues vis-a-vis access to and release of keys
-: addressing interoperability and standards issues
-: identifying other technical, policy and program issues for government action.

The Administration's initiative is broadly consistent with the recent recommendations of the National Research Council. It also addresses many of the objectives of pending Congressional legislation, while protecting the public safety and national security. But this export liberalization poses risks to public safety and national security. The Administration is willing to tolerate that risk, for a limited period, in order to accelerate the development of a global key management infrastructure.

The White House
Office of the Vice-President
October 1, 1996

Index