Blog

Export Controls & Information Security

  • Posted on

Export Controls & Information Security

Many of our modern gadgets are subject to export controls without many of us ever knowing. Everyday items such as smart phones, tablets, laptop computers, gaming consoles etc., use cryptography which is prima facie ‘Dual-Use’ export controlled.

Participating States to the Wassenaar Arrangement (including the UK, US & all countries of the European Union) apply export controls to all items shown in the List of ‘Dual-Use Goods and Technologies’, including Information Security Items (goods, software & technology) with the objective of preventing unauthorised transfers or re-transfers of those items.

Following the UK's exit from the European Union in January, 2020,  Council Regulation (EC) No 428/2009, was subsequently adopted, and the UK’s ‘Dual-Use’ list can be seen in Annex I and Annex IV of this Regulation. Information Security can be seen in Category 5, Part 2 of Annex I.

Information Security is defined in the Regulation as ‘all the means and functions ensuring the accessibility, confidentiality or integrity of information or communications, excluding the means and functions intended to safeguard against malfunctions. This includes "cryptography", "cryptographic activation", 'cryptanalysis', protection against compromising emanations and computer security’.

Products that use cryptography are prima facie controlled under the dual use list. However, it is not the intension of the authorities to control certain everyday goods and software. As such, ‘Note 3’ is intended to exclude certain goods from control that:

a) can be readily purchase by the general-public,

b) requires little or no support to install,

c) and has standard form (AES, WPA etc.,) cryptographic functionality which cannot be easily changed by the user.

Note 3 also relaxes controls on certain components and software of such items.

Note 3 can be seen at the beginning of Category 5 part 2, ‘Information Security’, as described above. There are also certain other decontrols within Category 5 part 2 which are separate to Note 3.

Note 3a exempts from control under sections 5A002 and 5D002 items that meet all of the following:

a) Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

      1. Over-the-counter transactions,
      2. Mail order transactions,
      3. Electronic transactions, or
      4. Telephone call transactions,

b) The cryptographic functionality cannot easily be changed by the user,

c) Designed for installation by the user without further substantial support by the supplier, AND

d) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs 1. to 3. above.

The Regulation also contains the following ‘Note to the Cryptography Note’ which aims to provide further clarity.

Note to the Cryptography Note:

a) To meet paragraph a. of Note 3, all of the following must apply:

      1. The item is of potential interest to a wide range of individuals and businesses, and
      2. The price and information about the main functionality of the item are available before purchase without the need to consult the vendor or supplier. A simple price enquiry is not considered to be a consultation.

b) In determining eligibility of paragraph a. of Note 3, competent authorities may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier.

In the UK, items meeting the Note 3 decontrol are classified as Not Listed. It is important to note that modified items i.e., items specially created or modified from items which would normally meet the requirements of Note 3, may not themselves qualify for the Note 3 decontrol, in which case they will most likely be fully ‘Dual-Use’ list controlled and require an export licence if exported.

In the US, items meeting the Note 3 decontrol will be classified as 5A992 or 5D992, and may be subject to reporting or registration requirements (e.g., microprocessors decontrolled under Note 3).

Have a question about export control law?

Please get in touch for fast, expert advice from an export controls and sanctions lawyer. For a free initial 15-minute consultation to find out how Andrew can help you, please call +44 (0) 1423 734019 or make an enquiry. All enquiries will be responded to promptly.

    Get in touch

    Please fill in the form and we’ll get back to you as soon as we can.





    Related Posts