Export permits for cryptographic items

Table of Contents

Introduction

Guide to Canada's Export Controls

The Export Control List (ECL) describes goods and technology that are subject to export controls. Exports of such items must be authorized by an export permit before they may be exported from Canada to any country (other than, with some exceptions, the United States).

The complete text of the Export Control List is published in the Guide to Canada's Export Controls. Cryptography controls are outlined on pages 30-31 in Category 5 - Part 2 ("Information Security") of Group 1 (the Dual-Use List). If your product meets the criteria for control described in this section, or if you are unsure but believe it might be included on the ECL, you should apply for a permit.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States. Exports of Canadian goods or technology from the United States or other countries are subject to export controls of that country. However, foreign consignees who intend to re-export such goods or technology should state that in the end-use statement, if one is required. Applications for broadbased permits require evidence that the exporter has incorporated prohibited destinations into any applicable distributor, re-seller or vendor agreements.

Exporters may also refer to our list of Frequently Asked Questions about cryptography exports. These address specific issues and assume a familiarity with the information in the Guide to Canada's Export Controls, the Export Controls Handbook, and other information this website.

Export Controls Handbook

The Export Controls Handbook is a reference document. It describes how to apply for export permits and includes guidance on issues such as:

  • use of Export Controls Online (EXCOL)
  • how an applicant should describe items in their export permit application
  • mandatory supporting documents, in particular technical description and end-use statements
  • destination and origin considerations.

Individual export permits

An individual permit allows exports of goods and technology described therein to specified consignees in a single country. Individual permits may authorize exports of any cryptographic items controlled in Group 1: Category 5 – Part 2 of the Export Control List (ECL). An application must be submitted to the Export Controls Division in order to obtain an individual permit. Once it has been issued to an applicant, this type of permit generally does not require that actual exports be reported (in contrast to some other permit types).

Applications

Export permit applications for information security goods/technology and goods/technology employing cryptography consist of the following:

  • complete application form (generally done through our online system EXCOL)
  • Cover letter or notes in the “Applicant/exporter comments” field of the EXCOL application form explaining the overall nature of the proposed transaction, including the roles of the parties involved and the end-use of the product. This information informs the Export Controls Division's review of the application by providing a clear picture of the particulars of the proposed export.
  • a completed cryptography and information security product questionnaire
  • technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • signed end-use statement from the final consignee to whom the export shipment is destined – exporters may use the template provided or submit other documents which contain the same information required in the template. When alternative end-use documents are provided, the applicant must clearly indicate in their application where in those documents each of the elements of the end-use statement template are met.

As noted above, general information that is required in an export permit application form submitted through EXCOL can be found in the Export Controls Handbook.

Exporters of information security goods/technology and goods/technology employing cryptography should note the following guidelines on identifying items in an export permit application:

  • Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
  • Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
  • Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the EXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the EXCOL application form).
  • The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.

An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.

Application review period

The Export Controls Division makes every effort to review export permit applications as quickly as possible. The Export Controls Division has established service delivery targets for applications to export in order to provide applicants with timely service. Review times may vary according to the complexity of an application, the adequacy and completeness of the information presented in it, and the number of applications under review at any given time. Under normal circumstances:

  • complete applications for many destination countries, including most European countries, Japan, South Korea, Australia and New Zealand, will be reviewed within 10 business days from the submit date in EXCOL or from the date of receipt in the Export Controls Division;
  • complete applications to other destinations will be reviewed within eight weeks from the submit date in EXCOL or from the date of receipt in the Export Controls Division.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States.
Applicants whose applications are incomplete will be asked to provide additional information within a specific time period. Incomplete applications may be returned without action in order for them to be submitted again at a later date when the required information is available to the applicant.

Validity periods for individual export permits

The default validity period for individual export permits for cryptography is two years. Exporters may request shorter or longer validity periods, up to 5 years. Individual applications may also be amended to extend the validity period by up to one year at a time (applications must be made through EXCOL at least 2 weeks before the expiry date of the existing permit – refer to the Export Controls Handbook for more information).

Other types of export permits

The Export Controls Division issues several types of “multidestination” export permits for cryptographic items. These allow for exports to multiple destination countries without consignees being specified in the application. These permits differ according to the cryptography products that are intended to be exported and the terms and conditions that apply to the use of these permits. The following multidestination permits are currently issued by the Export Controls Division:

  • EU+5 cryptography permit: this type of permit may authorize exports of hardware, software, source code or other technology controlled under Export Control List Group 1 Category 5 – Part 2: “Information Security”. Eligible destinations include all countries within the European Union (except Cyprus), Australia, Japan, New Zealand, Norway and Switzerland. There are no regular reporting requirements but export records must be maintained and provided to the Export Controls Division if requested.
  • Broadbased permit: this type of permit allows exports of hardware, executable software, and associated information and enhancements to a wide range of countries; it requires that all exports or transfers made using the permit be reported every six months. Applicants to whom export permits have not previously been issued or who have a history of non-compliance may apply for broadbased permits but will be subject to a shorter validity period.
  • Co-development permit: this type of permit allows exports, to affiliates in a wide range of countries, of software, source code or other technology controlled under Export Control List items 1-5.D.2 and 1-5.E.2 that contains cryptographic functionality, and related technical data and assistance, for product development. The locations of those affiliates must be reported but are not required to be declared at the time of application.
  • Bona fide Canadian and US corporations permit: this type of permit allows exports of hardware, executable software, and associated information and enhancements to foreign consignees that are majority-owned by Canadian- or US-based parent companies. There are no reporting requirements.
  • Regime decontrol (ancillary cryptography) permit: this type of permit allows exports of any goods or technology that meet the definition in Note 4 to Group 1, Category 5, Part 2 and which covers “ancillary” cryptography. When this Note is implemented in the Export Control List around December 2010, such items will no longer be subject to export controls. There are no reporting requirements.
  • Java permit: this type of permit allows exports of hardware and executable software into which the Java Runtime Environment has been integrated, as well as associated information and enhancements, to a wide range of countries. There are no reporting requirements.
  • Financial institutions permit: this type of permit allows exports of hardware, executable software, and associated information and enhancements to financial institutions in a number of countries that have enacted legislation to counter money laundering. There are no reporting requirements.

Applications

Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using EXCOL and have not done so before. You should send an email to tie.reception@international.gc.ca and request that your EXCOL profile to be set to enable applications for multidestination cryptography permits.

Applications for multidestination permits must include the following:

  • Complete application form (generally done through our online system EXCOL)
  • A completed cryptography and information security product questionnaire
  • Technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • Cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit.

Some types of multidestination permits may require other supporting documents or information. Please refer to the detailed descriptions of each for more information.

Application review period

The Export Controls Division makes every effort to review export permit applications as quickly as possible. The Export Controls Division has established service delivery targets for applications to export in order to provide applicants with timely service. Review times may vary according to the complexity of an application, the adequacy and completeness of the information presented in it, and the number of applications under review at any given time. Under normal circumstances:

  • complete applications for multidestination permits will be reviewed within 10 business days from the submit date in EXCOL or from the date of receipt in the Export Controls Division.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States.
Applicants whose applications are incomplete will be asked to provide additional information within a specific time period. Incomplete applications may be returned without action in order for them to be submitted again at a later date when the required information is available to the applicant.

Validity periods for multidestination permits

The default validity period for multidestination export permits for cryptography is typically 2 years, although exporters may request in the EXCOL application form shorter or longer validity periods, up to 5 years. Applicants whose product development cycles are shorter than 2 years may wish to request shorter validity periods since new versions of a cryptography item require the submission of a new application (and these new applications may include all previous versions of the same product).

Export Control Compliance Plan

A statement is required in the cover letter that the exporter has implemented an export control compliance plan. Multidestination permits allow greater flexibility to exporters than individual permits, but also impose different conditions on them, in particular the requirement to submit certain reports at regular intervals. Failure to comply with these conditions may result in the suspension or cancellation of a multidestination permit. When this happens, an exporter may not use the permit until full compliance has been restored and must apply for individual permits in the interim. Export control compliance plans may reduce the risk and consequences of non-compliance.

In general terms, an export control compliance plan consists of defined or prescribed processes and procedures to ensure that employees at all levels of a company understand and act in accordance with the letter and spirit of the Export and Import Permits Act, the Customs Act, other trade-related legislation (for example, on economic sanctions) and their related regulations.

The export control compliance plan should establish the steps and due diligence process a company follows when planning, marketing, and shipping items included in the Export Control List to foreign clients, and should also cover download practices (if applicable). An important provision of such a plan is a defined process to provide a reasonable level of assurance (due diligence) that goods or technology may not be exported to unauthorized or illegitimate end-uses or end-users.

Attached to an export permit may be terms and conditions that constitute legal obligations on the company that uses that permit. An export control compliance plan should ensure that those terms and conditions are recorded and that internal company processes reflect and meet those obligations.

Other obligations on exporters of goods and technology subject to export controls are prescribed in the following sections of the Export and Import Permits Act:

  • Subsection 10.2 (which requires exporters to make records available for inspection)
  • Subsection 10.3 (which requires records to be kept)
  • Section 13 (which prohibits exports of goods or technology included in the Export Control List except in accordance with an export permit)
  • Section 16 (which prohibits the transfer of an export permit)
  • Section 17 (which prohibits the furnishing of false or misleading information or any misrepresentation in relation to an export permit application)
  • Section 18 (which prohibits any person from assisting another to contravene the Act or its regulations)

An export control compliance plan should also address a procedure to deal with instances of non-compliance. For example, the Export Controls Division of Foreign Affairs, Trade and Development Canada should be promptly notified of any failure to comply with the provisions of the Export and Import Permits Act or the terms and conditions of any export permit issued under the authority of that Act.