|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 (updated) pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. | |||
The Walsh Report
ANNEX A
TERMS OF REFERENCE
The Review is to examine whether legislative or other action should be taken
to safeguard national security and law enforcement interests in the light of
the rapid development of the global information infrastructure and the
continuing need to safeguard individual privacy.
2. The objective of the review will be to present options for encryption
policies and legislation which adequately address national security, law
enforcement and privacy needs while taking account of policy options being
developed to address commercial needs.
3. Key factors to be addressed include:
(a) Australia's national security and defence interests;
(b) an assessment of the present state on encryption technologies and
prospective developments in encryption technology over the next
few years likely to impact on Australia's national security and
law enforcement interests;
(c) whether Australia's present laws are adequate to ensure
Australia's national security and law enforcement interests in an
environment of rapidly emerging technologies;
(d) measures to safeguard individual privacy including an examination
of the warranting provisions that may be required to enable law
enforcement and national security authorities to gain access to
encrypted material, whether in the form of stored data or a
message transmitted over a telecommunications network;
(e) an assessment and evidence of the benefits of access by law
enforcement and national agencies to encrypted data;
(f) an assessment of the most appropriate means of funding the
development, implementation and maintenance of a decrypting
capability for existing and emerging technologies;
(g) whether Australia should seek to negotiate agreements with any
other country or countries governing access to encrypted data
where public keys (under a 'commercial key escrow' or 'trusted
third party' system of encryption) are held outside Australia;
(h) whether legislation is desirable to:
(i) regulate the availability of 'commercial key escrow' or
'trusted third party' encryption;
(ii)
facilitate the development of 'commercial key escrow' or
'trusted third party' encryption;
(i) the impact of overseas initiatives associated with encryption
technology, particularly in relation to the extent to which
international cooperation and proactive specification of desirable
characteristics for encryption products and 'commercial key
escrow' or 'trusted third party' services is desirable and
recommendations as to how such international cooperation best be
achieved; the effectiveness of Australia's export controls on
encryption technology.
4. The review is to have regard to the Government's existing encryption
policies, the work of the OECD Committee of Experts on Security, Privacy and
Intellectual Property Protection in the global information infastructure on
the development of international crypography guidelines and the work of the
Information Policy Task Force on the implementation of open encryption
standards which address commercial needs.
----------------------------------------------------------------------------
ANNEX B
Extract from AUSTRALIA ONLINE,
statement on media issues
published by the Coalition Parties
prior to the 1996 federal election.
Personal Privacy and Commercial Security
New information technology has the capacity to generate a torrent of
information on the preferences, lifestyles and financial details of all
Australians.
Labor's consistent neglect of the issue of personal privacy is shown in its
attempted introduction of the Australia Care, its consistent advocacy of
large- scale "dataveillance" of citizens, and its creeping expansion of the
use of the tax file number in stark contrast to Mr Keating's own solemn
assurances to the Parliament. To quote a recent senior Labor Minister,
"privacy is a bourgeois right, related to the concept of private property".
Such an ethos makes a mockery of Labor's "commitment" to genuine information
privacy safeguards. In contrast, the Coalition regards personal privacy as a
cherished right in a free society.
Whilst the implementation of the principle of informed consent provides
citizens with some defence, widespread trading of information and the power
of new technology to collate previously unrelated pieces of information will
enable the construction of highly revealing profiles on individuals. Often
this can be done without individuals knowing that these profiles even exist.
The Coalition accepts that organisations have the right to certain
information about their clients, provided this information is used for the
purpose for which it is originally offered. However, the Coalition is
opposed to such information being used for purposes for which it was not
intended, unless the consent of the individual is obtained.
With the development of extensive electronic commerce networks, this issue
has a commercial security dimension as well. Encryption technology is
essential to electronic commerce. Transactions will not be initiated unless
people are confident that personal and financial information is protected
from unauthorised interception. Heavy-handed attempts to ban strong
encryption techniques will compromise commercial security, discouraging
online service industries (particularly in the financial sector) from
adopting Australia as a domicile. This would result in a substantial
economic loss to the country.
An inquiry into the extent of information gathering in the public and
private sectors, current administrative and regulatory regimes for
protection of privacy, and the need for reform will be launched by the
Coalition.
This inquiry will present arguments and options to a Coalition Government on
privacy policies which will strike a balance between the legitimate
interests of public and commercial organisations on the one hand, and the
legitimate rights of individuals on the other.
The IPTF will also be required to present options for the implementation of
open encryption standards which address commercial needs. The recently
released European Union Privacy Directive, which regulates trans-national
data flows, has made it imperative that Australia's privacy legislation is
updated before our access to overseas information resources is curtailed.
The results of these inquiries will provide input to the deliberations of
the Online Government Council on the issues of privacy. In particular, the
merits of a national Privacy Code of Practice, binding both public and
private sectors will be considered by the Council.
The requirements of security agencies to monitor network traffic are a
particularly difficult problem. The rights of private individuals to encrypt
messages and commercial transactions have been the subject of heated debate
in the United States. ]be Coalition, with its strong pro-privacy bias, takes
the view that the onus is on security agencies to demonstrate that the
benefits of mandating "crackable" codes (as has been attempted in the USA
with the "Clipper" chip technology) outweigh the social and economic
consequences of the loss of personal privacy and commercial security that
this would entail.
[extract of pages 15.1-16.2. Emphasis
shown as in original statement.]
----------------------------------------------------------------------------
ANNEX C
ADMINISTRATION STATEMENT ON COMMERCIAL ENCRYPTION POLICY
July 12, 1996
The Clinton Administration is proposing a framework that will encourage the
use of strong encryption in commerce and private communications while
protecting the public safety and national security. It would be developed by
industry and will be available for both domestic and international use.
The framework will permit U.S. industry to take advantage of advances in
technology pioneered in this country, and to compete effectively in the
rapidly changing international marketplace of communications, computer
networks, and software. Retaining U.S. industry's leadership in the global
information technology market is of longstanding importance to the Clinton
Administration.
The framework will ensure that everyone who communicates or stores
information electronically can protect his or her privacy from prying eyes
and ears as well as against theft of, or tampering with, their data. The
framework is voluntary; any American will remain free to use any encryption
system domestically.
The framework is based on a global key management infrastructure that
supports digital signatures and confidentiality. Trusted private sector
parties will verify digital signatures and also will hold spare keys to
confidential data. Those keys could be obtained only by persons or entities
that have lost the key to their own encrypted data, or by law enforcement
officials acting under proper authority. It represents a flexible approach
to expanding the use of strong encryption in the private sector.
This framework will encourage commerce both here and abroad. It is similar
to the approach other countries are taking, and will permit nations to
establish an internationally inter-operable key management infrastructure
with rules for access appropriate to each country's needs and consistent
with law enforcement agreements. Administration officials are currently
working with other nations to develop the framework for that infrastructure.
In the expectation of industry action to develop this framework
internationally, and recognizing that this development will take time, the
Administration intends to take action in the near term to facilitate the
transition to the key management infrastructure.
The measures the Administration is considering include:
1. Liberalizing export controls for certain commercial encryption
products.
2. Developing, in cooperation with industry, performance standards for
key recovery systems and products that will be eligible for general export
licenses, and technical standards for products the government will purchase.
3. Launching several key recovery pilot projects in cooperation with
industry and involving international participation.
4. Transferring export control jurisdiction over encryption products for
commercial use from the Department of State to the Department of Commerce.
Administration officials continue to discuss the details of these actions
with experts from the communications equipment, computer hardware and
software industries, civil liberties groups and other members of the public,
to ensure that the final proposal balances industry actions towards the
proposed framework, short-term liberalization initiatives, and public safety
concerns.
The Administration does not support the bills pending in Congress that would
decontrol the export of commercial encryption products because of their
serious negative impact on national security and law enforcement. Immediate
export decontrol by the U.S. could also adversely affect the security
interests of our trading partners and lead them to control imports of U.S.
commercial encryption products.
A Cabinet Committee continues to address the details of this proposal. The
Committee intends to send detailed recommendations to the President by early
September, including any recommendations for legislation and Executive
Orders. The Committee comprises the Secretaries of State, Defense, Commerce
and Treasury; the Attorney General; the Directors of Central Intelligence
and the Federal Bureau of Investigation; and senior representatives from the
Office of the Vice President, the Office of Management and Budget, and the
National Economic Council.
----------------------------------------------------------------------------
ANNEX D
PAPER ON REGULATORY INTENT CONCERNING USE OF
ENCRYPTION ON PUBLIC NETWORKS
1. Summary
The Government recognises the importance of the development of the Global
Information Infrastructure (GII) with respect to the continuing
competitiveness of UK companies. Its aim is to facilitate the development of
electronic commerce by the introduction of measures which recognise the
growing demand for encryption services to safeguard the integrity and
confidentiality of electronic information transmitted on public
telecommunications networks.
2. The policy, which has been decided upon after detailed discussion between
Government Departments, involves the licensing and regulation of Trusted
Third Parties (hereafter called TTPS) which will provide a range of
information security services to their clients, whether they are corporate
users or individual citizens. The provision of such information security
services will be welcomed by IT users, and will considerably facilitate the
establishment of, and industry's participation in, the GR, where trust in
the security of communication has been acknowledged to be of paramount
importance. The licensing policy will aim to preserve the ability of the
intelligence and law enforcement agencies to fight serious crime and
terrorism by establishing procedures for disclosure to them of encryption
keys, under safeguards similar to those which already exist for warranted
interception under the Interception of Communications Act.
3. The Government intends to bring forward proposals for legislation
following consultation by the Department of Trade and Industry on detailed
policy proposals.
2. Background
4. The increased use of IT systems by British business and commerce in the
last decade has been a major factor in their improved competitive position
in global markets. This reliance on IT systems has, however, brought with it
increased security risks; especially concerning the integrity and
confidentiality of information passed electronically between trading bodies.
The use of encryption services on electronic networks can help solve some of
these security problems. In particular TTPs will facilitate secure
electronic communications either within a particular trading environment (eg
between a bank and its customers) or between companies, especially smaller
ones, that do not necessarily have any previous trading relationship.
5. In developing an encryption policy for the information society, we have
also considered how the spread and availability of encryption technology
will affect the ability of the authorities to continue to fight serious
crime and terrorism. In developing policy in this area, the Government has
been concerned to balance the commercial requirement for robust encryption
services, with the need to protect users and for the intelligence and law
enforcement authorities to retain the effectiveness of warranted
interception under the Interception of Communications Act (1985).
6. Consideration by Government has also been given to the requirement for
business to trade electronically throughout Europe and further afield. The
inter-departmental discussions have therefore taken into account draft
proposals by the European Commission, concerning information security (which
include the promotion of TTPS), and discussions on similar issues taking
place within the OECD.
3. The Government's Proposals
(a) Licensing
7. By their nature, TTPS, whatever services they may provide, will have to
be trusted by their clients. Indeed in a global trading environment there
will have to be trust of, and between, the various bodies fulfilling this
function. To engender such trust, TTPs providing information security
services to the general public will be licensed. The licensing regime would
seek to ensure that organisations and bodies desiring to be TTPs will be fit
for the purpose. The criteria could include fiduciary requirements (eg
appropriate liability cover), competence of employees and adherence to
quality management standards. TTPs would also be required to release to the
authorities the encryption keys of their clients under similar safeguards to
those which already exist. We would expect organisations with existing
customers, such as banks, network operators and associations (trade or
otherwise) to be prime candidates for TTPS.
8. The Government will consult with organisations such as financial services
companies, who have made existing arrangements for the use and provision of
encryption services, with the intention of avoiding any adverse effects on
their competitiveness. It is not the intention of the government to regulate
the private use of encryption. It will, however, ensure that organisations
and bodies wishing to provide encryption services to the public will be
appropriately licensed.
(b) Services Offered
9. The services which a TTP may provide for its customers will be a
commercial decision. Typically, provision of authentication services may
include the verification of a client's public key, time stamping of
documents and digital signatures (which secure the integrity of documents).
TTPs may also offer a service of key retrieval (typically for documents and
files that have been encrypted by employees) in addition to facilitating the
real time encryption of a client's communications.
10. Licensed TTPs operating within a common architectural framework, on a
European or even a global basis, will be able to facilitate secure
communications between potential business partners in different countries.
Providing the respective clients trust their TTPS, secure electronic
commerce between parties who have not met will become possible because they
will have confidence in the security and integrity of their dealings.
(c) Architecture and supporting products
11. It is envisaged that a common architectural framework will be needed to
support the information security services being offered by TTPs in different
countries. Clearly this will be a matter for negotiation between interested
parties taking into account developments in international standards
organisations. The architecture would need, however, to support both the
provision of integrity and confidentiality and therefore be capable of
verifying public encryption keys and escrowing private ones. There is no
reason why it should not also support a choice of encryption algorithms,
such as those on the ISO (International Standards Organisation) register.
12. In support of such an architectural framework we would envisage
manufacturers developing software or hardware products for use by the
business community. Such products will need to be consistent with whatever
standard (or standards) are arrived at to enable TTPs to interoperate. The
type of algorithm used for message encryption, and whether it is implemented
in hardware or software, will be a matter of business choice.
(d) European Union
13. The Government is working closely with the European Commission on the
development of encryption services through their work on information
security. Arrangements concerning lawful interception and the regulation of
TTPs in that context are matters for Member States to determine. However,
the Commission has an important role in facilitating the establishment of an
environment where developments in the use of TTPs can be fostered. The
Commission should soon be in a position to bring forward a programme of work
involving, for example, the piloting and testing of TTP networks.
(e) OECD
14. The Government are also participating in discussions at the OECD on
encryption matters. Where possible we will encourage the development of
networks of TTPs which facilitate secure electronic trading on a global
basis.
(f) Export Controls
15. Export controls will remain in place for encryption products (whether in
hardware or software form) and for digital encryption algorithms. However,
to facilitate the participation of business and commerce in the information
society the Government will take steps, with our EU partners, with a view to
simplifying the export controls applicable to encryption products which are
of use with licensed TTPS.
4. Consultation
16. Officials from the Department of Trade and Industry have already held
preliminary discussions with various industry groups on the general concepts
surrounding the provision of encryption services through TTPS. A more formal
consultation on the Government's proposals will be undertaken by the
Department of Trade and Industry with all interested parties prior to the
bringing forward of legislative proposals. The Government recognises that
the successful facilitation of electronic commerce through the introduction
of information security services by TTPs either in the UK or in Europe,
will, to a significant extent, depend on their widespread use across
business. It will therefore be important to secure the broad acceptance of
the business community for the Government's proposals. The Department will
pay particular attention to this during the consultation process.
Department of Trade and Industry London
Last updated on Tuesday, 11 June 1996
----------------------------------------------------------------------------
ANNEX E
OECD Guidelines
Annex to the Recommendation of the Council of 23rd September 1980
GUIDELINES GOVERNING THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF
PERSONAL DATA
PART ONE. GENERAL
Definitions
1. For the purposes of these Guidelines:
a) "data controller" means a party who, according to domestic law, is
competent to decide about the contents and use of personal data
regardless of whether or not such data are collected, stored,
processed or disseminated by that party or by an agent on its
behalf;
b) "personal data" means any information relating to an identified or
identifiable individual (data subject)
c) "transborder flows of personal data" means movements of personal
data across national borders.
Scope of Guidelines
2. These Guidelines apply to personal data, whether in the public or
private sectors, which, because of the manner in which they are
processed, or because of their nature or the context in which they are
used, pose a danger to privacy and individual liberties.
3. These Guidelines should not be interpreted as preventing:
a) the application, to different categories of personal data, of
different protective measures depending upon their nature and the
context in which they are collected, stored, processed or
disseminated;
b) the exclusion from the application of the Guidelines of personal
data which obviously do not contain any risk to privacy and
individual liberties; or
c) the application of the Guidelines only to automatic processing of
personal data.
4. Exceptions to the Principles contained in Parts Two and Three of these
Guidelines, including those relating to national sovereignty, national
security and public policy ("order public"), should be:
a) as few as possible, and
b) made known to the public.
5. In the particular case of Federal countries the observance of these
Guidelines may be affected by the division of powers in the Federation.
6. These Guidelines should be regarded as minimum standards which are
capable of being supplemented by additional measures for the protection
of privacy and individual liberties.
PART TWO
BASIC PRINCIPLES OF NATIONAL APPLICATION
Collection Limitation Principle
7. There should be limits to the collection of personal data and any such
data should be obtained by lawful and fair means and, where
appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
8. Personal data should be relevant to the purposes for which they are to
be used, and, to the extent necessary for those purposes, should be
accurate, complete and kept up-to-date.
Purpose Specification Principle
9. The purposes for which personal data are collected should be specified
not later than at the time of data collection and the subsequent use
limited to the fulfilment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion
of change of purpose.
Use Limitation Principle
10. Personal data should not be disclosed, made available or otherwise used
for purposes other than those specified in accordance with Paragraph 9
except:
a) with the consent of the data subject; or
b) by the authority of law.
Security Safeguards Principle
11. Personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorised access, destruction, use,
modification or disclosure of data.
Openness Principle
12. There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal
data, and the main purposes of their use, as well as the identity and
usual residence of the data controller.
Individual Participation Principle
13. An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him;
b) to have communicated to him, data relating to him
i) within a reasonable time;
ii) at a charge, if any, if that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and
(b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is
successful, to have the data erased, rectified, completed or
amended.
Accountability Principle
14. A data controller should be accountable for complying with measures
which give effect to the principles stated above.
PART THREE
BASIC PRINCIPLES OF INTERNATIONAL APPLICATION:
FREE FLOW AND LEGITIMATE RESTRICTIONS
15. Member countries should take into consideration the implications for
other Member countries of domestic processing and re-export of personal
data.
16. Member countries should take all reasonable and appropriate steps to
ensure that transborder flows of personal data, including transit
through a Member country, are uninterrupted and secure.
17. A Member country should refrain from restricting transborder flows of
personal data between itself and another Member country except where
the latter does not yet substantially observe these Guidelines or where
the re-export of such data would circumvent its domestic privacy
legislation. A Member country may also impose restrictions in respect
of certain categories of personal data for which its domestic privacy
legislation includes specific regulations in view of the nature of
those data and for which the other Member country provides no
equivalent protection.
18. Member countries should avoid developing laws, policies and practices
in the name of the protection of privacy and individual liberties,
which would create obstacles to transborder flows of personal data that
would exceed requirements for such protection.
PART FOUR
NATIONAL IMPLEMENTATION
19. In implementing domestically the principles set forth in Parts Two and
Three, Member countries should establish legal, administrative or other
procedures or institutions for the protection of privacy and individual
liberties in respect of personal data. Member countries should in
particular endeavour to:
a) adopt appropriate domestic legislation;
b) encourage and support self-regulation, whether in the form of
codes of conduct or otherwise;
c) provide for reasonable means for individuals to exercise their
rights;
d) provide for adequate sanctions and remedies in case of failures to
comply with measures which implement the principles set forth in
Parts Two and Three; and
e) ensure that there is no unfair discrimination against data
subjects.
PART FIVE
INTERNATIONAL CO-OPERATION
20. Member countries should, where requested, make known to other Member
countries details of the observance of the principles set forth in
these Guidelines. Member countries should also ensure that procedures
for transborder flows of personal data and for the protection of
privacy and individual liberties are simple and compatible with those
of other Member countries which comply with these Guidelines.
21. Member countries should establish procedures to facilitate:
a) information exchange related to these Guidelines, and
b) mutual assistance in the procedural and investigative matters
involved.
22. Member countries should work towards the development of principles,
domestic and international, to govern the applicable law in the case of
transborder flows of personal data.
----------------------------------------------------------------------------
ANNEX F
STATEMENT OF THE VICE-PRESIDENT OF THE
UNITED STATES ON ENCRYPTION
OCTOBER 1, 1996
President Clinton and I are committed to promoting the growth of electronic
commerce and robust, secure communications worldwide while protecting the
public safety and national security. To that end, this Administration is
consulting with Congress, the information technology industry, state and
local law enforcement officials, and foreign governments on a major
initiative to liberalize export controls for commercial encryption products.
The Administration's initiative will make it easier for Americans to use
stronger encryption products - - whether at home or abroad - - to protect
their privacy, intellectual property and other valuable information. It will
support the growth of electronic commerce, increase the security of the
global information, and sustain the economic competitiveness of U.S.
encryption product manufacturers during the transition to a key management
infrastructure with key recovery.
Under this initiative, the export of 56-bit key length encryption products
will be permitted under a general licence after one-time review, and
contingent upon industry commitments to build and market future products
that support key recovery. This policy will apply to hardware and software
products. The relaxation of controls will last up to two years.
The Administration's initiative recognizes that an industry-led technology
strategy will expedite market acceptance of key recovery, and that the
ultimate solution must be market-driven.
Exporters of 56-bit DES or equivalent encryption products would make
commitments to develop and sell products that support the key recovery
system that I announced in July. That vision presumes that a trusted third
party (in some cases internal to the user's organization) would recover the
user's confidentiality key for the user or for law enforcement officials
acting under proper authority. Access to keys would be provided in
accordance with destination country policies and bilateral understandings.
No key length limits or algorithm restrictions will apply to exported key
recovery products.
Domestic use of key recovery will be voluntary, and any American will remain
free to use any encryption system domestically.
The temporary relaxation of controls is one part of a broader encryption
policy initiative designed to promote electronic information security and
public safety. For export control purposes, commercial encryption products
will no longer be treated as munitions. After consultation with Congress,
jurisdiction for commercial encryption controls will be transferred from the
State Department to the Commerce Department. The Administration also will
seek legislation to facilitate commercial key recovery, including providing
penalties for improper release of keys, and protecting key recovery agents
against liability when they properly release a key.
As I announced in July, the Administration will continue to expand the
purchase of key recovery products for U.S. government use, promote key
recovery arrangements in bilateral and multilateral discussions, develop
federal cryptographic and key recovery standards, and stimulate the
development of innovative key recovery products and services.
Under the relaxation, six-month general export licenses will be issued after
one-time review. contingent on commitments from exporters to explicit
benchmarks and milestones for developing and incorporating key recovery
features into their products and services, and for building the supporting
infrastructure internationally. Initial approval will be contingent on firms
providing a plan for implementing key recovery. The plan will explain in
detail the steps the applicant will take to develop, produce, distribute,
and/or market encryption products with key recovery features. The specific
commitments will depend on the applicant's line of business.
The government will renew the licences for additional six-month periods if
milestones are met. Two years from now, the export of 56-bit products that
do not support key recovery will no longer be permitted. Currently
exportable 40- bit mass market software products will continue to be
exportable. We will continue to support financial institutions in their
efforts to assure the recovery of encrypted financial information. Longer
key lengths will continue to be approved for products dedicated to the
support of financial applications.
The Administration will use a formal mechanism to provide industry, users,
stand and local law enforcement, and other private sector representatives
with the opportunity to advise on the future of key recovery. Topics will
include:
- evaluating the developing global key recovery architecture
- assessing lessons learned from key recovery implementation
- advising on technical confidence issues vis-a-vis access to and release
of keys
- addressing interoperability and standards issues
- identifying other technical, policy and program issues for government
action.
The Administration's initiative is broadly consistent with the recent
recommendations of the National Research Council. It also addresses many of
the objectives of pending Congressional legislation, while protecting the
public safety and national security. But this export liberalization poses
risks to public safety and national security. The Administration is willing
to tolerate that risk, for a limited period, in order to accelerate the
development of a global key management infrastructure.
The White House
Office of the Vice-President
October 1, 1996
----------------------------------------------------------------------------
Index [Not provided]
[End Report]