Export permits for cryptographic items
Broadbased cryptography export permit
Summary: This type of permit allows exports of hardware, executable software, and associated information and enhancements to a wide range of countries; it requires that all exports or transfers made using the permit be reported every six months. Applicants to whom export permits have not previously been issued or who have a history of non-compliance with previously issued export permits may apply for broadbased permits but will be subject to a shorter validity period.
Broadbased permits allow the export to most countries by any means of the following:
- Goods that incorporate cryptography that is controlled in Category 5, Part 2 of Group 1 of the Export Control List;
- Executable code (object code) of those cryptographic goods;
- Technical information which is the minimum necessary for the installation and operation of those cryptographic goods;
- Maintenance releases and product upgrades which do not contain:
- enhancements to the cryptographic component(s), module(s) or interface(s) or change the cryptographic functionality of those cryptographic goods; or
- source code or pseudo-code of the cryptographic component(s), module(s) or interface(s).
Broadbased permits explicitly exclude, in the terms and conditions stated on each permit, exports:
- to countries that are included in the Area Control List; that are subject to Canadian economic sanctions (including those implemented under the United Nations Act or the Special Economic Measures Act); that are excluded from the application of General Export Permit No. 12; and that are subject to sanctions under the Export and Import Permits Act;
- As of June 2011, these countries are the following: Afghanistan, Belarus, Burma (Myanmar), Cote d'Ivoire, Cuba, Democratic Republic of the Congo, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Pakistan, Rwanda, Sierra Leone, Somalia, Sudan, Syria, Zimbabwe.
- for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons;
- of technical information related to design, development or implementation of the crypto; and
- of source code or pseudo-code, in any form, of the crypto.
Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using EXCOL and have not done so before. You should send an email to firstname.lastname@example.org and request that your EXCOL profile to be set to enable applications for multidestination cryptography permits.
Applications for broadbased permits must include the following:
- complete application form (generally done through our online system EXCOL)
- a completed cryptography and information security product questionnaire
- technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, block diagrams, exploded view drawings, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
- cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit
- evidence that the exporter has incorporated the four prohibitions listed above into any applicable distributor, re-seller or vendor agreements (a copy of such documents should be attached with the application).
Exporters of information securitygoods/technology and goods/technology employing cryptography should note the following guidelines on identifying items in an export permit application:
- Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
- Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
- Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the EXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the EXCOL application form).
- The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.
An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.
After issuance of a broadbased permit, the exporter must:
- provide,in January and July, reports on the final consignees to whom exports are made under the authority of the permit in the preceding 6 months. The reports must include the export permit application number, export permit number, export permit expiry date,final consignee name,final consignee address (street address, city, postal code, country), and product (as identified on the export permit, including product version identifier). A template for a semi-annual report is available on our website.
- comply with other terms and conditions that may be stated on an export permit. Exporters are obliged to comply with these conditions when they export under the authority of the permit. Exporters must review the terms and conditions upon receipt of the export permit and prior to exporting, and may contact the Export Controls Division (email email@example.com) for more information.
- comply with provisions of the Export and Import Permits Act which require, inter alia, the keeping of records for at least six years after the end of the year to which they relate and that such records be provided upon demand to an officer of the Export Controls Division. Exporters using a broadbased permit must retain documentation, which may include contracts, invoices, requests for products, statements of work, specific correspondence, (if applicable) vendor/reseller/distributor agreements, an end-use statement (following the template provided for individual permits), and bills of lading, which demonstrate that the exporter has undertaken due diligence. The purpose of due diligence is to verify that the transaction adheres to the permit and its specific terms and conditions.
“Starter” broadbased cryptography export permit
Applicants to whom an export permit has not previously been issued or who have a history of non-compliance may apply for broadbased permits but will be subject to a shorter initial validity period – 4 months – and more frequent reporting requirement. This is referred to as a “starter” broadbased permit.
If prior exports occurred without necessary permits having been obtained, a non-compliance report (see pages 48-89 of the Export Controls Handbook ) will be required by the end of the first reporting period.
After issuanceof a starter broadbased permit, the exporter must provide, 3 months after the date of permit issuance, a report onthe final consignees to whom exports were made underthe authority of the permit in the preceding 3 months. The format of a quarterly report should follow the template of the semi-annual report available on our website.
Upon submission of the required quarterly report within the specified timeframe and of a non-compliance report (if required), an exporter may submit a Permit Amendment Request through EXCOL to extend the validity period of this type of permit for a subsequent period of 4 months.
If the subsequent report is complete and timely, an exporter may submit a Permit Amendment Request to extend the validity of the permit again, up to 5 years, and the exporter may apply for normal broadbased permits in future. At this time, the report due dates will be changed from quarterly reports dated from the issuance of the initial starter broadbased permit to fixed semi-annual report due dates.