Notice to Exporters
Export Controls on Cryptographic Goods
Serial No. 113
Date: December 23, 1998
Table of Contents
- 1.0 Purpose
- 2.0 General
- 3.0 Canadian Policy
- 4.0 Wassenaar Arrangement
- 5.0 Liberalizations
- 6.0 Proposed Export Control List Changes
- 7.0 Administration
- 8.0 Export Permit Requirements
- 9.0 Contacts
1.1 The purpose of this Notice is to inform the exporting community of:
- proposed changes to Canada's export controls on cryptographic goods as a result of recent changes to the Wassenaar Arrangement Lists of controlled goods and technology; and
- the procedures that have been implemented to streamline the export permit process for cryptographic goods to make the process more transparent.
2.1 The export of cryptographic goods and technologies is controlled for the purposes set out in Section 3(d) of the Export and Import Permits Act (EIPA):
- "3(d) to implement an intergovernmental arrangement or commitment."
2.2 The Export Control List (ECL) includes the publication "A Guide to Canada's Export Controls" (Guide). The ECL contains the list of items subject to export controls. The ECL is a regulation made pursuant to the EIPA as a means of controlling the export of goods from Canada. Cryptographic goods and technologies are enumerated as Item 1150 - Information Security of the Guide.
2.3 These controls are applied in a manner consistent with Canadian laws, regulations, policies and with Canada's multilateral commitments. The export of cryptographic goods and technologies is administered by the Export Controls Division (EPE) of the Department of Foreign Affairs and International Trade (DFAIT).
3.0 Canadian Policy
3.1 The proposed export control changes, which are expected to take effect in 1999, and identified in this Notice, are consistent with the Canadian Cryptography Policy announced by the Honourable John Manley, Minister of Industry Canada in October 1998. The changes do not alter the Canadian Cryptography Policy which allows Canadians to use, develop or import any strength of cryptographic product. These changes do not alter Canada's positions regarding no mandatory key recovery or licensing regimes.
3.2 Furthermore, as announced in the Canadian Cryptography Policy, procedures have been implemented which are designed to streamline the export permit process for cryptographic goods to better position Canadian exporters to increase their sales and share in global markets while being mindful of security interests.
4.0 Wassenaar Arrangement
4.1 The Wassenaar Arrangement was established in order to contribute to regional and international peace and security, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. The thirty-three participating states of the Wassenaar Arrangement seek to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities. This arrangement is also intended to enhance cooperation to prevent the acquisition of armaments and sensitive dual-use items for military end-uses, if the situation in a region or the behaviour of a state is, or becomes, a cause for serious concern. This arrangement is not directed against any state or group of states and does not impede bona fide civil transactions.
4.2 Since the establishment of the Wassenaar Arrangement, all products designed or modified to use cryptography of any key bit length to ensure information security have been controlled unless they complied with either a specific exemption or the General Software Note.
4.3 To keep pace with developing technology and electronic commerce while being mindful of security interests, the Wassenaar Arrangement Participating States reached a consensus decision on export control revisions for cryptographic goods and technologies at a meeting in Vienna on December 3, 1998. These revisions, details of which are available on the Wassenaar Arrangement web site, provide significant relaxations that help promote the further development of electronic commerce. In general, the changes establish an equivalence for hardware and software goods, implement controls on certain mass market goods, and remove controls on a range of goods.
5.1 The Wassenaar Arrangement Participating States agreed to remove from control:
- goods performing the function of authentication;
- goods performing the function of digital signature;
- access control goods where there is no encryption of files or text except as directly related to the protection of passwords, Personal Identification Numbers (PINs) or similar data to prevent unauthorized access;
- goods employing analogue principles when not implemented with digital techniques;
- goods employing a symmetric algorithm with a key length of 56 bits or less;
- goods employing an asymmetric algorithm where the security of the algorithm is based on any of the following:
- factorisation of integers not greater than 512 bits (e.g. RSA);
- computation of discrete logarithms in a multiplicative group of a finite field of size not greater than 512 bits (e.g.Diffie-Hellman over Z/pZ); and
- discrete logarithms in a group other than mentioned in (ii) above and not greater than 112 bits (e.g. Diffie-Hellman over an elliptic curve).
- receiving equipment for radio broadcast, pay television or similar restricted audience television of the consumer type, without digital encryption except that exclusively used for sending the billing or programme-related information back to the broadcast providers;
- goods where the cryptographic capability is not user-accessible and which is specially designed and limited to allow any of the following:
- execution of copy-protected software;
- access to any of the following:
- copy-protected read-only media;
- information stored in encrypted form on media (e.g. in connection with the protection of intellectual property rights) when the media is offered for sale in identical sets to the public; or
- one-time copying of copyright protected audio/video data.
- goods specially designed and limited to banking use or money transactions; and
- cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e., a single, unrelayed hop between terminal and home base station) is less than 400 metres;
5.2 In addition, the Wassenaar Arrangement Participating States agreed:
- to remove the exporter semi-annual reporting requirements; and
- to maintain the existing exemption for software "in the public domain".
6.0 Proposed Export Control List Changes:
6.1 The Wassenaar Arrangement Participating States agreed to replace Entry 1 of the General Software Note for Mass Market Cryptographic Software with a Cryptography Note applicable to both hardware and software goods that meet all of the following:
- generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
- over-the-counter transactions;
- mail order transactions;
- electronic transactions; or
- telephone call transactions
- the cryptographic functionality cannot easily be changed by the user;
- designed for installation by the user without further substantial support by the supplier;
- does not contain a symmetric algorithm employing a key length exceeding 64 bits; and
- when necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter's country in order to ascertain compliance with conditions described in paragraphs a. to d. above.
6.2 In addition to the technical changes, the Wassenaar Arrangement Participating States agreed that the controls on Mass Market goods as defined in sub-paragraph 6.1 (d) above will remain in effect for two years and that the renewal of such controls for a successive period will require the unanimous consent of the Wassenaar Arrangement Participating States.
7.1 The export of cryptographic goods and technologies is administered by the Export Controls Division (EPE) of the Department of Foreign Affairs and International Trade (DFAIT). Cryptographic goods and technologies are enumerated under Item 1150 - Information Security of the Group 1 - Dual Use List in the Guide. These controls are applied in a manner consistent with Canadian laws, regulations and policies, and with Canada's multilateral commitments.
7.2 The regulatory changes will be implemented in a manner that respects our national cryptography policy. This policy encourages the widespread use of strong encryption and growth of export markets for Canadian technologies.
7.3 The regulatory changes will not affect the export of cryptographic goods and technologies to the United States. There will continue to be no permit requirements to export cryptographic goods or technologies to the United States.
7.4 The regulatory changes to Canada's export controls will come into effect in approximately six months. During the interim period the existing export controls described in Group 1, Item 1150 of the Export Control List remain in effect. Accordingly, export permits are required to export controlled cryptographic goods and technologies to any destination except the United States, however, the exporting community will benefit from the agreed liberalizations. To the extent possible, Canada shall:
- continue to apply the existing decontrol notes as described in Group 1, Item 1150 of the Export Control List for cryptographic goods until the regulatory changes come into effect;
- expedite the permit issuing process for those goods which will no longer be controlled as a result of the regulatory changes; and
- continue to apply the existing General Software Note for cryptographic software until the regulatory changes come into effect.
7.5 As soon as practicable, a General Export Permit will be issued for mass market software employing a symmetric algorithm with a key length not exceeding 128 bits.
7.6 Consistent with the Canadian Cryptography Policy announced by Mr. Manley in October 1998, Canada has streamlined the permit issuing process for controlled cryptographic goods by establishing the cryptographic multi-destination permit and maintaining information (cataloguing) on controlled goods.
7.7 Cryptographic multi-destination permits are issued by DFAIT to allow the export of a specific good, or goods, to an authorized target sector in specific countries. It enables the exporter to export strong controlled cryptography:
- without having to apply for individual consignee based permits;
- to authorized target sectors such as banks and financial institutions, and bona fide Canadian and American corporations; and
- under certain non-onerous conditions which may include:
- not permitting the export to military end-users; and
- ensuring that the exporter notifies end-users of any terms and conditions.
7.8 Cataloguing establishes the cryptographic capability and functionality of controlled goods at the time of export permit issuance. For subsequent permit applications, the permit consultation process may concentrate on the consignee and intended end-use of the goods provided it has not changed from when it was last catalogued.
7.9 Canada will continue to examine additional mechanisms for streamlining the export permit process such as the use of General Export Permits, multi-destination permit improvements, and the identification of additional target sectors for multi-destination permits.
8.0 Export Permit Requirements
8.1 The export of goods and technologies described in Group 1 of the ECL requires an export permit from DFAIT. Applications for permits are submitted to DFAIT for processing.
9.1 Questions regarding this Notice should be directed to:
The Department of Foreign Affairs and International Trade,
Export Controls Division (EPE),
125 Sussex Drive,
Ottawa, Ontario, K1A 0G2
- Date Modified: