Export permits for cryptographic items

Frequently Asked Questions

Category 5 Part 2 – Encryption Items

A. General Questions

1. Why does Canada control cryptographic items for export?

2. Are items that are just using open source encryption software specified by Category 5 Part 2?

3. Do items that contain encryption which is either not used or is not enabled require a review against Category 5 Part 2 criteria?

4. Do items that do not contain encryption but which make use of encryption already present in other items, such as software applications that call up cryptographic libraries, require a review against Category 5 Part 2?

5. Are medical devices using crypto specified by Category 5 Part 2?

6. We provide a general purpose processing card which happens to use a processing chip that has hardware crypto accelerators. However, our processing card does not make any use of the encryption functionality of this chip. Would our processing card be captured by Category 5 Part 2 even though it does not use any cryptographic functionality embedded in one of its chips?

7. I am a consultant who develops custom secure data storage applications for corporate clients around the world. The applications that I develop do not contain any cryptographic functionality, but rather call up cryptographic libraries located on the operating system that the application is designed to run on. Are my secure data storage applications controlled under Category 5 Part 2?

8. I am going to Germany tomorrow with my unique company laptop. My company uses a software tool to encrypt the data on the laptop's hard drive. Do I need a permit to bring my laptop with me?

9. We produce modular telecommunications systems that may or may not include cryptographic components depending on what hardware blades are ordered. Do we need to consider Category 5 Part 2 for all of our products?

10. I am exporting an item that I purchased, and don't have the technical information about its cryptographic functionality. What should I do?

11. Is military equipment that uses cryptography controlled under Category 5 Part 2?

12. I would like to export a secure enterprise database application controlled under Category 5 Part 2 and a simulation program not controlled under the ECL, bundled together in a single Hard Drive. The two applications are totally independent from each other and are being bundled strictly for ease of shipment purposes. Is the control status of these two items being affected by bundling?

B. Cryptography Note Questions

1. What are the issues to be considered in assessing an item against Note 3 of Category 5 Part 2?

2. What are some examples of items that would be considered to fall under Note 3?

3. What are some examples of items that would not be considered to fall under Note 3?

4. Why does a mass market personal computer loaded with a software application with encryption functionality not always receive a decontrol under Note 3?

5. We are producers of enterprise networking applications and we offer a free software application that provides additional functionality, including encryption, to those that they have already purchased from us. This free add-on software is downloadable from our web site. We do, however, require users to fill out a form on-line, which we then verify prior to allowing any downloads. Can this add-on software be considered under Note 3 of Category 5 Part 2?

6. We are distributors of VoIP Phones which use the SIP protocol and provide secure communications. We have in the past exported these items to the U.S. with no worries as there are no export permit requirements for Category 5 Part 2 items to the U.S. and we know that these items are not controlled elsewhere under the ECL. However, we have recently received a large order from India and are wondering whether these phones would be controlled under Category 5 Part 2. These phones are available through a variety of distributors, including retail, and are in use within various telecommunications infrastructure equipment.

7. We produce electric detonators for construction drilling and blasting. The detonator triggers are protected by lock boxes that use crypto to generate keys. These keys correspond to pass codes that appear on dongles carried by the operators. Is this system considered mass market?

8. When would a newly introduced consumer product with cryptography become eligible for consideration under the Cryptography Note 3?

C. Note 4 Questions

1. What is an ‘Ancillary Cryptography' item?

2. We produce a portable lighting system to support landing of aircraft in impromptu airfields to assist in disaster relief operations. Our lights are activated remotely via a secure wireless digital communication link. Are these lights controlled under Category 5 Part 2?

3. We are producers of gaming equipment. Our product allows users to play against and with each other in a complex network. We have high capacity servers located in other countries, and frequently need to export improved gaming equipment and software upgrades to optimize the user experience. Do we need permits to export these items?

4. I am exporting an airplane that includes an integrated communications device that uses encryption. Is the airplane controlled under Category 5 Part 2?

5. What if I am exporting a spare part for the airplane that uses encryption?


A. General Questions

1. Why does Canada control cryptographic items for export?

Pursuant to the Export and Import Permits Act, Canada controls exports of certain dual-use, military, and strategic goods and technology. The Export Control List (ECL) defines which items are subject to controls, and these definitions are generally the result of multilateral negotiations in four export control regimes in which Canada participates.

Recognizing that cryptography could be used to undermine or threaten international and national security, all 40 Participating States of the Wassenaar Arrangement have committed to implementing export controls on cryptography in national legislation. Cryptography is controlled in the ECL in Category 5 of Group 1, the “Dual-Use List”, which includes items that are designed for civil, commercial applications, but which could also be used for significant military purposes. The Export Controls Division administers these export controls in partnership with the Communications Security Establishment (CSE), Canada's national cryptologic agency. Export controls are enforced by the Canada Border Services Agency and the Royal Canadian Mounted Police, in consultation with the administering offices.

Because encryption items can be used to maintain the secrecy of information, the Government of Canada takes measures to protect against the possibility that these items may be used by persons abroad to harm Canadian foreign policy and national security interests. Cryptographic export controls assist the Government in ensuring that Canada's foreign policy and national security interests are protected from concealed hostile or detrimental activities abroad. At the same time, export controls aim to facilitate the legitimate use of encryption to protect information within the public and private sectors.

2. Are items that are just using open source encryption software specified by Category 5 Part 2?

When a new item is created using open source software such as Open SSL, the new item is considered as a separate and distinct encryption item which will need to be reviewed against the ECL.

3. Do items that contain encryption which is either not used or is not enabled require a review against Category 5 Part 2 criteria?

Items that contain encryption which is either not used or dormant are considered encryption items requiring review against Category 5 Part 2.

4. Do items that do not contain encryption but which make use of encryption already present in other items, such as software applications that call up cryptographic libraries, require a review against Category 5 Part 2?

Items that do not contain encryption but which make use of encryption already present in other items are considered encryption items requiring review against Category 5 Part 2.

5. Are medical devices using crypto specified by Category 5 Part 2?

No. Items specially designed for medical end-use are exempt from Group 1 and Group 2 of the Canadian Export Control List (ECL) as part of a Statement of Understanding (SOU) agreed to by the Wassenaar Arrangement.

6. We provide a general purpose processing card which happens to use a processing chip that has hardware crypto accelerators. However, our processing card does not make any use of the encryption functionality of this chip. Would our processing card be captured by Category 5 Part 2 even though it does not use any cryptographic functionality embedded in one of its chips?

Yes. Although the processing card does not use crypto, the card is considered specially designed to use crypto and would need to be evaluated against Category 5 Part 2.

7. I am a consultant who develops custom secure data storage applications for corporate clients around the world. The applications that I develop do not contain any cryptographic functionality, but rather call up cryptographic libraries located on the operating system that the application is designed to run on. Are my secure data storage applications controlled under Category 5 Part 2?

Yes. Although the secure data storage application does not incorporate any cryptographic routines/algorithms, it does call up a cryptographic library residing elsewhere. This item is specially designed to use cryptography and is therefore controlled under Category 5 Part 2.

8. I am going to Germany tomorrow with my unique company laptop. My company uses a software tool to encrypt the data on the laptop's hard drive. Do I need a permit to bring my laptop with me?

No. Note 2 allows the export of products controlled under Category 5 Part 2 when accompanying the user for the user's personal use.

9. We produce modular telecommunications systems that may or may not include cryptographic components depending on what hardware blades are ordered. Do we need to consider Category 5 Part 2 for all of our products?

No. Only those specific models specially designed to use cryptography are controlled under Category 5 Part 2. An export permit may be required for those models that include cryptographic functionality.

10. I am exporting an item that I purchased, and don't have the technical information about its cryptographic functionality. What should I do?

In order to complete technical assessment of the item, certain information may be required. Details, regarding cryptographic functionality, or otherwise, are likely available and can be obtained from the original manufacturer.

11. Is military equipment that uses cryptography controlled under Category 5 Part 2?

If the item is specially designed for military use, it is controlled under Group 2. Group 1, the “Dual-Use List”, controls items that are designed for civil, commercial applications and, as such, any item that is specially designed for military use is by definition not a dual-use item. However, the Export Permit application process online (EXCOL) requires that you confirm whether an item includes cryptographic functionality, notwithstanding where the item may be controlled under the ECL.

12. I would like to export a secure enterprise database application controlled under Category 5 Part 2 and a simulation program not controlled under the ECL, bundled together in a single Hard Drive. The two applications are totally independent from each other and are being bundled strictly for ease of shipment purposes. Is the control status of these two items being affected by bundling?

No. Each item is evaluated separately as if they were being exported individually. The export control classification of items that have been repackaged or bundled together only for marketing or shipment remains the same.

B. Cryptography Note Questions

1. What are the issues to be considered in assessing an item against Note 3 of Category 5 Part 2?

Note 3 in Category 5, Part 2 of Group 1 of the Export Control List is a decontrol note that is intended to relax controls on cryptographic goods and technology that are sold to the general public in large quantities. This note is sometimes informally referred to as the Mass Market Note.

There are four elements to the note, all of which must be met for the note to apply. The questions below are intended to help exporters determine whether their products meet the elements of the note.

If an exporter is uncertain as to whether Note 3 applies to a particular product, an application for an export permit or an Advisory Opinion should be submitted. This application should include information about the product that is relevant to consideration of the issues described below.

If Note 3 applies to a product that is otherwise controlled under Category 5, Part 2, no permit is required to export this product from Canada unless it is controlled elsewhere on the ECL.

Note 3 reads as follows:

Note 3:

Cryptography Note

1-5.A.2. and 1-5.D.2. do not control items that meet all of the following:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

  • 1. Over-the-counter transactions;
  • 2. Mail order transactions;
  • 3. Electronic transactions; or
  • 4. Telephone call transactions;

b. The cryptographic functionality cannot easily be changed by the user;

c. Designed for installation by the user without further substantial support by the supplier; and

d. Deleted;

e. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. to c. above.

The following are some of the key issues to consider in assessing an item against Note 3.

1) Regarding part a. of Note 3, in Canada an item is normally considered “generally available to the public” if it is sold without limitation or qualification of the purchaser (“without restriction”) and if it is intended for use by the general public. In other words, the seller does not consider who the buyer is and does not discriminate between buyers. Specialized users like doctors, fire-fighters and large enterprises are not considered to be the general public: products that are intended for sale only to one or more specialized groups would not generally be considered to fall within the scope of Note 3. However, use of a product by a specialized group does not automatically exclude that item from the note.

Generally, if a product is customized for a particular customer or buyer, Note 3 does not apply, as a customized product would not be available “from stock”. However, this limitation would not extend to products that, by design, have several options which may be selected by any customer as a normal part of their purchase of the goods, just as cars are available in different colours and with different options that may be selected by the customer.

Note 3 identifies four different means of acquisition of a product. If a product is available by any of these – in a retail store, by mail order, online or by telephone – this element of the note normally applies. It is not necessary for an item to be available by all four means to meet the note.

There is no threshold of price for application of the note. In other words pricing alone is not normally considered a restriction on the availability of a product for the purposes of the note.

In the case of an application for an export permit or an Advisory Opinion that seeks to determine whether Note 3 applies, an applicant can answer the following questions or provide the following information with the application:

  • 1. Approximately how many copies or units of the product have been sold in the North American domestic market? Of these, what percentage were over-the-counter, mail order, telephone order, other (specify)?
  • 2. Details on the marketing strategy for the product. Supporting documentation illustrating established partnerships, alliances, or distribution networks for wholesale, retail, OEM, and indirect sales markets. Copies (not hyperlinks) of websites, catalogues, flyers, and so on which demonstrate retail availability of the product should be provided.
  • 3. Whether the hardware or software has been modified or customized to customer specification.

2) Regarding part b. of Note 3, the simple activation or deactivation of cryptographic functionality of a product by the user is not normally considered to be a change of the cryptographic functionality. Products in which the cryptographic functionality can be activated or deactivated by the user at home (like a wireless router) may be eligible for Note 3.

However, products for which the user can adjust the cryptographic algorithm, such as through a Graphical User Interface or some other mechanism, do not normally meet this condition of the note.

Source code may be “easily changed” by the user. Source code for a cryptographic algorithm does not normally meet Note 3.

3) Normally, to qualify under part c. of Note 3, a product must be designed to be installed by the individual who will be using the device.

For example, while a wireless router for home use may be difficult to install for certain customers, most members of the general public are able to install them using instructions provided with the product. Therefore they are generally considered to be designed for “installation by the user”.

Optional on-site installation support provided through the retail outlet at which the product was purchased does not normally constitute “substantial support by the supplier”, nor does the provision of installation instructions that are included in the product packaging. Provision of assistance in the form of a toll-free telephone number or website where a user without technical expertise may ask questions or obtain clarification about installation instructions does not normally constitute “substantial support by the supplier”.

Telephone switches and private branch exchanges that are designed for installation by technicians do not normally meet this element of the note as they are not designed to be installed by the user, who is the person making a call.

In the case of an application for an export permit or an Advisory Opinion that seeks to determine whether Note 3 applies, an applicant should answer the following questions or provide the following information with the application:

  • Supporting documentation on how the product is “designed for installation by the user”.
  • Is the product supplied with a User and/or Installation Manual, or a Readme file? What level of product detail is provided?
  • The level of support provided by the supplier and third parties on behalf of the supplier (eg: man-machine interface, technical design, user-selectable configuration options, etc).

2. What are some examples of items that would be considered to fall under Note 3?

Examples of items that would be considered as Note 3 items include, but are not limited to:

  • General purpose operating systems
  • Short range wireless devices such as access points
  • PDAs and Web phones
  • Commercial, off-the-shelf software for personal computers
  • Home-use networking commodities

3. What are some examples of items that would not be considered to fall under Note 3?

Examples of items that would likely not be considered as Note 3 items include, but are not limited to:

  • Items requiring substantial support for installation
  • Items that are used in the production of other items such as chips that include cryptographic accelerators
  • Source code

4. Why does a mass market personal computer loaded with a software application with encryption functionality not always receive a decontrol under Note 3?

When software modifies a computer to perform a specific function, the resulting product is considered as a separate and distinct encryption item.

5. We are producers of enterprise networking applications and we offer a free software application that provides additional functionality, including encryption, to those that they have already purchased from us. This free add-on software is downloadable from our web site. We do, however, require users to fill out a form on-line, which we then verify prior to allowing any downloads. Can this add-on software be considered under Note 3 of Category 5 Part 2?

No. Note 3.a. states that software has to be available to the public by being sold, without restriction, from stock at retail selling points. The registration and verification you have on users prior to the download of this free add-on software is a restriction on its availability to the public, and as such, this item does not meet Note 3. requirements.

6. We are distributors of VoIP Phones which use the SIP protocol and provide secure communications. We have in the past exported these items to the U.S. with no worries as there are no export permit requirements for Category 5 Part 2 items to the U.S. and we know that these items are not controlled elsewhere under the ECL. However, we have recently received a large order from India and are wondering whether these phones would be controlled under Category 5 Part 2. These phones are available through a variety of distributors, including retail, and are in use within various telecommunications infrastructure equipment.

The phones use an interoperable SIP protocol designed to be independent of the underlying telecommunication infrastructure equipment. As such, they are not a specially designed component of an item controlled under Category 5 Part 2. The items will be de-controlled as long as they meet all the requirements of Note 3.

7. We produce electric detonators for construction drilling and blasting. The detonator triggers are protected by lock boxes that use crypto to generate keys. These keys correspond to pass codes that appear on dongles carried by the operators. Is this system considered mass market?

It is unlikely that the system you describe is one which corresponds to the mass market note (Note 3). However, the text of 1-5.A.2.a.1 clearly excludes devices where the crypto is used for authentication or digital signature.

8.When would a newly introduced consumer product with cryptography become eligible for consideration under the Cryptography Note 3?

A product incorporating cryptographic functionality that meets all the elements of Note 3 except that it is not yet “generally available to the public” because it is not yet available for retail sale is normally eligible for treatment under Note 3, even if it is still at beta testing level, pre-production, or initial limited production stage, after the logical and physical design of cryptographic functionality in the finished product are fixed.

C. Note 4 Questions

1. What is an ‘Ancillary Cryptography' item?
An item decontrolled by Note 4 in Category 5, Part 2 of Group 1 of the Export Control List (also known as ‘Ancillary Cryptography' item) is defined as an item incorporating or using "cryptography" and meeting all of the following:

a. The primary function or set of functions is not any of the following:

  • "Information security";
  • A computer, including operating systems, parts and components therefor;
  • Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
  • Networking (includes operation, administration, management and provisioning);

b. The cryptographic functionality is limited to supporting their primary function or set of functions; and

c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. and b. above

The following lists of non-exhaustive examples are provided as additional information to help applicants in their self-assessment of ‘ancillary' encryption items.

Examples of items that would be considered as ‘ancillary' encryption items include, but are not limited to:

  • Piracy and theft prevention for software, music, etc.
  • Games and gaming
  • Household utilities and appliances
  • Printing, reproduction, imaging and video recording or playback
  • Business process modeling and automation (e.g., supply chain management, inventory, scheduling and delivery)
  • Industrial, manufacturing or mechanical systems (e.g., robotics, heavy equipment, facilities systems such as fire alarm, HVAC)
  • Automotive, aviation, and other transportation systems

Examples of items that would not be considered as ‘ancillary' encryption items include, but are not limited to:

  • e-mail / voice / videoconferencing / fax / file / disk encryption (including applications, session, signalling, transport and storage encryption);
  • a secure virtual private network (VPN), router, switch, base station, satellite communication device, trunked radio, wireless access point, bridge/repeater, voice over internet protocol (VoIP) server or endpoint, firewall or other networking / network infrastructure item;
  • an operating system for a computer and/or security appliance;
  • a cryptographic co-processor or accelerator;
  • a microprocessor, system-on-a-chip or other electronic assembly implementing cryptographic primitives or other “information security” functionality;
  • network management, provisioning and monitoring, including managed security services and security operations center (SOC) / network operations center (NOC) tools;
  • a digital / computer / Internet forensics tool;
  • a cryptanalytic tool;
  • a cryptographic library (including application programming interfaces (APIs) and other cryptographic interfaces), toolkit or software development kit (SDK);
  • public key infrastructure (PKI) and other key management, including the generation, exchange, loading or storing of encryption keys or secret parameters (e.g., crypto variables); or
  • quantum cryptography / QKD.

2. We produce a portable lighting system to support landing of aircraft in impromptu airfields to assist in disaster relief operations. Our lights are activated remotely via a secure wireless digital communication link. Are these lights controlled under Category 5 Part 2?

The primary purpose of the system, which includes the lights and remote controller, is operation of mobile airfield lights, and as such, this item would normally be decontrolled under Note 4 in Category 5, Part 2 of Group 1 of the Export Control List.

3. We are producers of gaming equipment. Our product allows users to play against and with each other in a complex network. We have high capacity servers located in other countries, and frequently need to export improved gaming equipment and software upgrades to optimize the user experience. Do we need permits to export these items?

Note 4 would normally allow the export of products when their primary function is entertainment, even if the equipment is used for sending, receiving, or storing information. It is important to note however that the applicability of Note 4 is dependent on what is being tendered for export. In this case, the improved gaming equipment and software upgrades being exported would need to be specially designed for gaming (i.e. entertainment) and meet Note 4 requirements in order to be de-controlled from Category 5 Part 2.

4. I am exporting an airplane that includes an integrated communications device that uses encryption. Is the airplane controlled under Category 5 Part 2?

The decontrol Note 4 would normally apply since the primary purpose of the system is air transport.

5. What if I am exporting a spare part for the airplane that uses encryption?

The spare part would have to be evaluated separately, and if its primary purpose does not decontrol it under Note 4, it may be controlled under Category 5 Part 2.