Exporting Software and Technology Abroad — Controls on Ancillary Encryption to be Liberalized
In what will come as welcome news to Canadian tech companies, Canada is planning on easing export controls over "ancillary encryption" items. These are items designed to work with encryption but encryption is not their primary function. Recently, the Canadian government agreed to implement an exemption to the current export permit requirement for these goods, software and related technology, provided they meet certain criteria.
Canadian companies must currently apply for and obtain export permits in order to export information security items or transfer any related technology from Canada to destinations other than the United States. Canada’s Export Control List identifies the goods and technology covered by these requirements, and imposes a very low threshold of control — encryption with key lengths in excess of 64 bits (in the case of symmetric algorithms). Further, the available exemptions for mass market items and technology and software in the public domain may only be relied upon in very limited circumstances.
Canadian authorities have been consulting with the business community on how the mass market exemption for encryption items is interpreted and administered in jurisdictions outside of Canada. They have also recently announced industry consultations on the export control permit process.
These consultations appear to be part of an effort to address concerns that, because of the burdens imposed by the permit regime, Canadian companies are not on a level playing field with their competitors in the United States and other countries when it comes to the sale of their products and technology in international markets.
Recently, the issue of liberalizing international controls over ancillary encryption has arisen. These goods, software and related technology still require permits in order to be exported or transferred from Canada to destinations other than the United States.
In December, 2009, the Wassenaar Arrangement Participating States, including Canada, agreed to exempt from export control items incorporating information security cryptography that is ancillary to and not the primary function of those items. The exemption has been implemented in the form of a Note to the Wassenaar Arrangement Category 5 — Part 2 ("Information Security") as follows:
Note 4: Category 5 — Part 2 does not apply to items incorporating or using "cryptography" and meeting all of the following:
- The primary function or set of functions is not any of the following:
- "information security";
- a computer, including operating systems, parts and components therefor;
- sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
- networking (includes operation, administration, management and provisioning).
- The cryptographic functionality is limited to supporting their primary function or set of functions.
- When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.
Provided these conditions are met, exporters of these items should no longer be required to undertake the process of applying for and obtaining an export permit prior to supplying their customers outside of Canada. However, the Canadian government does not anticipate incorporating these provisions into law until the end of 2010 or early 2011.
Broadbase Permit Pending Implementation
In an attempt to address concerns that Canadian companies will be put at a competitive disadvantage by this implementation delay, the Export Controls Division of Foreign Affairs and International Trade Canada has developed a new broadbase permit that may be applied for, and that, under certain conditions, will permit these shipments or transfers to proceed. Once the broadbase permit has been negotiated and obtained, the exporter is free to ship or transfer such items without any reporting requirements, although recordkeeping requirements still apply.
A procedure has been established to allow ancillary cryptography exporters to apply for these permits under certain terms and conditions, including the following:
The exporter provides full technical specifications with sufficient detail to disclose the true nature of the goods, their country of manufacture, their intended application, and the justification for qualifying for the ancillary exemption.
The permit will not authorize exports to any end-user directly or indirectly involved in research, development or production of chemical, biological and nuclear weapons, or any missile program; or to any country on Canada’s Area Control List (currently Burma and Belarus, and soon North Korea will be added) or any other country subject to existing Canadian economic sanctions.
The exporter must maintain all records necessary to determine compliance with Canadian legal requirements for a period of six years after the date of export from Canada.
Until the Wassenaar Arrangement exemption for ancillary encryption is fully implemented into Canadian law, exporters will have to apply for and obtain an individual broadbase permit before exporting these items or transferring related technology. After implementation of this new exemption, exporters will be able to self-classify exports and transfers without having to notify the Export Controls Division.
McCarthy Tétrault Notes
Many Canadian companies continue to struggle with the burden imposed by Canada’s broad system of encryption controls.
Vendors are often surprised to learn that the export or transfer of their encryption goods and technology requires a permit before shipment to their foreign customers. Often, they first discover this when the Canada Border Services Agency detains these goods just prior to export. Others fail to realize that transfers of related technology not involving physical shipments also require a permit — these technology transfers can occur as a result of communications by fax or e-mail, during teleconferences or training sessions, or by remote server download or upload.
Because failure to obtain a permit prior to exporting or transferring controlled goods or technology can attract heavy penalties — and, often more significantly, can lead to long delays in order fulfillment and lost business — it is important that any organization dealing in encryption or items designed to work with encryption carefully address these issues to minimize risk exposure and administrative burden.