Encryption Export Controls: A Comparative Analysis between the EU and the US

Similar documents
Developments in UE export controls. Jasper Helder, Baker & McKenzie Amsterdam 9 November 2012

United States Export Controls on Internet Software Transactions. John F. McKenzie Partner, Baker & McKenzie LLP

Top 10 Questions to Ask Before Exporting Software Containing Encryption

COMPUTER & INTERNET. Westlaw Journal. Expert Analysis Software Development and U.S. Export Controls

Encryption Simplification and the October 3 rd rule. Michael Pender Senior Engineer Information Technology Controls Division

Rules and Regulations

Department of Commerce

3. Designed for installation by the user without further substantial support by the supplier; and

Export Control Management System

Intrusion Software Tools and Export Control Introduction. Export Control in Context

US Export Regulations Compliance. Presented by Larry Disenhof Cadence Design Systems, Inc.

Chart 1: Zambia's Major Trading Partners (Exports + Imports) Q Q Switzernd RSA Congo DR China UAE Kuwait UK Zimbabwe India Egypt Other

Best Practices in Export Compliance: Five Key Issues in Canadian Trade Control Compliance and Enforcement

Harvard Export Control Compliance Policy Statement

Table of Contents INTRODUCTION (CCL) STRUCTURE

Open General Export Licence (International Non-Proliferation Regime Decontrols: Dual-Use Items) dated 20 June 2016 granted by the Secretary of State.

RSA. Frequently Asked Questions. RSA Data Security, Inc. About Cryptography Export Laws. Answers to THE KEYS TO PRIVACY AND AUTHENTICATION

ACP-NEP Co-ord (Smith, Lyn C2) Military Goods: A400M Collaborative Programme OPEN GENERAL EXPORT LICENCE APRIL 2014

CISCO PIX SECURITY APPLIANCE LICENSING

Export Controls on Intrusion Software. Collin Anderson Tom Cross

Managing the Relationship Between Canadian and U.S. Export Controls and Economic Sanctions: Compliance and Enforcement Issues

THE ADVANTAGES OF A UK INTERNATIONAL HOLDING COMPANY

TRANSFERS FROM AN OVERSEAS PENSION SCHEME

Asylum in the EU The number of asylum applicants in the EU jumped to more than in % were Syrians

Introduction To Commerce Department. Export Controls U.S. DEPARTMENT OF COMMERCE BUREAU OF INDUSTRY AND SECURITY OFFICE OF EXPORTER SERVICES

41 T Korea, Rep T Netherlands T Japan E Bulgaria T Argentina T Czech Republic T Greece 50.

Security Export Control System in Japan. Ministry of Economy, Trade and Industry, Japan

The Act imposes foreign exchange restrictions, i.e. performance of certain actions requires a relevant foreign exchange permit.

CHAPTER IV: SECTION 7 COMPLIANCE WITH U.S. SANCTIONS

Business Phone. Product solutions. Key features

Consolidated International Banking Statistics in Japan

Monthly Report on Asylum Applications in The Netherlands and Europe

Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY

INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM

Table of Contents INTRODUCTION INTRODUCTION IMPORTANT EAR TERMS AND PRINCIPLES ITEMS SUBJECT TO THE EAR..

When was UNCITRAL established? And why?

List of tables. I. World Trade Developments

I. World trade developments

Checklists of Foreign Countries for U.S. Firms Engaged in International Transactions

CLOUD COMPUTING, EXPORT CONTROLS AND SANCTIONS. By Richard Tauwhare, Dechert LLP i

Foreign Trade and Payments Ordinance

Japan s New Control on Non-Listed Items for Military End-Use

BLUM Attorneys at Law

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

HOW GOVERNMENT SANCTIONS AFFECT YOUR GLOBAL PROGRAM (TLT024)

Chapter 4A: World Opinion on Terrorism

Bangladesh Visa fees for foreign nationals


The investment fund statistics

TETRA Security for Poland

Global Education Office University of New Mexico MSC , Mesa Vista Hall, Rm Tel , Fax ,

UAE Offshore Company Formation

Export Control Training

MIT U.S. Income Tax Presentation Non US Resident Students

DOING BUSINESS THROUGH MALTA - AN OVERVIEW

Mineral Industry Surveys

MALTA TRADING COMPANIES IN MALTA

International Call Services

Department of State Questions. 1. Why do I need to get the U.S. Government s approval to export and import defense articles and defense services?

Malta Companies in International Tax Structuring February 2015

Software Tax Characterization Helpdesk Quarterly June 2008

International Higher Education in Facts and Figures. Autumn 2013

RATING WORLD LEADERS: What People Worldwide Think of the U.S., China, Russia, the EU and Germany

Triple-play subscriptions to rocket to 400 mil.

Export Control Compliance Procedure Guide June 8, 2012

Reporting practices for domestic and total debt securities

- 1 - Regulation Implementing the Foreign Trade and Payments Act (Foreign Trade and Payments Regulation AWV) of 18 December 1986

The Export Control Lists of the European Union

ISP 2000/2001. national inspectorate of strategic products

How To Control A Record System

World Consumer Income and Expenditure Patterns

Introduction to Braumiller Schulz LLP Why Trade Compliance? Establishing an Internal Compliance Program (ICP) Contracting Services to Outside Experts

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

DuchenneConnect.

Metopro Associates Limited

The Internationalization of Higher Education: Foreign Doctorate Holders in a Russian Academic Market as Agents of Transformation

1. Not Subject to the EAR and Defense Article. (1) Reserved. (2) Reserved

Best Practices Every Business Should Know in the International Trade Arena

Mastering Global Trade Compliance for Growth Through Export. Track 1 Session 3

Report on Government Information Requests

Energy Briefing: Global Crude Oil Demand & Supply

Legal guidelines Free trade agreements of Ukraine

Report on Government Information Requests

How To Make A Positive Decision On Asylum Applications In 2014

Digital TV Research. Research-v3873/ Publisher Sample

EXPORT LICENCE Open General Export Licence (Dual-Use Items: Hong Kong Special Administrative Region) dated 14 January 2016, granted by

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Greece Country Profile

GOODMAN GLOBAL GROUP, INC. EXPORT CONTROL AND SANCTIONS COMPLIANCE POLICY

Transcription:

2013 Annual International Trade Compliance Conference Encryption Export Controls: A Comparative Analysis between the EU and the US John F. McKenzie Baker & McKenzie San Francisco Jasper Helder Baker & McKenzie Amsterdam Friday, November 8, 2013 Amsterdam, Netherlands

UNITED STATES

Encryption Export Controls: Key Concepts Export Controls imposed on Products that are designed or modified to use cryptography employing digital techniques performing a cryptographic function Cryptography is the discipline that embodies, principles, means and methods for the transformation of data in order to hide its information content, prevent is undetected modification, or prevent its unauthorized use. Products are controlled because of the capability to encrypt data, regardless of other functions and features 3

Encryption Export Controls: Key Concepts (cont d) The United States takes a very broad view of the scope of the encryption controls, including: Products that make calls to the encryption functionality of a third party product Activation codes to activate dormant encryption functionality Encryption products specially designed or modified for military use are subject to export control under the separate ITAR munitions export control program 4

The Encryption Export Control Hierarchy Products without encryption functions or features are not subject to the encryption export controls Exception: Products that make calls to, or interoperate with, the encryption functionality of third party hardware or software 5

The Encryption Export Control Hierarchy Items with encryption functionality but excluded from the encryption export controls Products with dormant encryption that requires cryptographic activation (Note (j) to 5A002) Activation keys for dormant encryption are themselves treated as controlled encryption products 6

The Encryption Export Control Hierarchy (cont d) Items with encryption functionality but excluded from the encryption export controls (cont d) Ancillary encryption (Note 4) Mass market encryption products (Cryptography Note: Note 3) The United States BIS takes the position that the mass market exception applies only to products distributed to individual consumers Products that use encryption exclusively for: (i) authentication and access control; (ii) digital signature; or (iii) execution of copy protected software Low level encryption (e.g., using a symmetric encryption algorithm with a key length of 56 bits or less 7

The Encryption Export Control Hierarchy (cont d) Controlled Encryption Products 5A002: Encryption Commodities utilizing (i) a symmetric encryption algorithm with a key length greater than 56 bits; (ii) an asymmetric algorithm with a key length greater than 512 bits; or (iii) elliptical curve encryption with a key length greater than 112 bits 5D002: Encryption software having the characteristics, or performing or simulating the functions, of controlled encryption commodities 5E002: Technology for the development, production or use of controlled encryption commodities or software 8

Unique Features of the United States Implementation of the Encryption Export Controls Extraterritorial Application: The United States Export Controls extend to the reexport from one country to another of United States origin encryption products, and products developed and produced abroad with United States origin encryption components Encryption Products excluded from the Encryption Controls remain subject to U.S. Export Controls for Anti- Terrorism Reasons 9

Unique Features (cont d) Regulatory Formalities Apply to the Export of Mass Market Encryption Items covered by the Cryptography Note Previously an Encryption Classification Ruling from BIS was required Now, the Exporter must file an encryption registration statement, receive an encryption registration number (ERN) and file annual selfclassification reports with BIS 10

Unique Features (cont d) Exports/reexports of controlled encryption products to foreign subsidiaries of U.S. corporations are authorized without export licenses and without regulatory formalities under license exception ENC Most other exports/reexports of controlled encryption commodities, software and technology are authorized without export licenses under license exception ENC, subject to compliance with a series of regulatory formalities specified in Section 740.17 of the Export Administration Regulations 11

Exports of Controlled Encryption Items under License Exception ENC For purposes of License Exception ENC, the Export Administration Regulations make a key distinction between (i) unrestricted encryption items; and (ii) restricted encryption items Examples of restricted encryption items include Network infrastructure products Encryption source code Encryption Items designed or modified for government endusers or to a customer specification, or that have cryptographic functionality the is user-accessible Products that provide functions necessary for quantum encryption 12

Items under License Exception ENC (cont d) For purposes of License Exception ENC, the Export Administration Regulations make a key distinction between (i) unrestricted encryption items; and (ii) restricted encryption items (cont d) Examples of Restricted Encryption Items include (cont d) Encryption Products that provide network penetration capabilities Cryptanalytic Products Products with an Open Cryptographic Interface Encryption Technology Classified under 5E002 13

Items under License Exception ENC (cont d) For purposes of License Exception ENC, the Export Administration Regulations make a key distinction between (i) unrestricted encryption items; and (ii) restricted encryption items (cont d) Examples of Restricted Encryption Items Include (continued) Chips, chipsets, electronic assemblies and FPLDs Cryptographic libraries and development kits and toolkits ASIC development kits implementing cryptography Encryption commodities and software that provide or perform vulnerability analysis, network forensics or computer forensics Automated network analysis, virtualization or packet inspection Investigation of data leakage, network breaches or malicious intrusion activities 14

Regulatory Formalities under the Export Administration Regulations to Export/Reexport Controlled Encryption Products under License Exception ENC Unrestricted Encryption Products (including most consumer, business and commercial software applications) File an Encryption Registration Statement with, and receive an Encryption Registration Number (ERN) from, BIS The ERN is the Authorization to Export Encryption Products under License Exception ENC Self-Classify the Encryption Products File an Annual Self-Classification Report for Each Encryption Item Exported during the Calendar Year under License Exception ENC DOCID#6695977 15

Regulatory Formalities under License Exception ENC (cont d) Restricted encryption products Obtain an encryption classification ruling (CCATS) from BIS License exception ENC is nonetheless not available, and specific export licenses from BIS must be obtained for: Exports of restricted items to government end-users located in any country other than the Supplement No. 3 countries (i.e., Canada, European Union, NATO, other close allies) Exports of encryption technology to customers located in country group D:1 countries (e.g., Russia, China) File semi-annual sales reports with BIS (exports from the United States only) 16

EUROPEAN UNION

Encryption Export Controls: Key Concepts Like the U.S., the EU takes a broad view of the scope of encryption controls, including: Activation codes to activate dormant encryption functionality Unlike the US: components for mass market encryption items remain controlled Encryption products specially designed or modified for military use are subject to export control under national regulations of the EU member states in respect of military items Categories ML 11.a (sub e, inter alia data processing equipment), ML 21 a and b.4 (software designed/modified for ML items, C3I & C4I software) 18

Encryption Export Controls: EU catch up (?) However, the EU has not yet enacted 2011 & 2012 Wassenaar changes. Relevant (2012) Wassenaar changes are: Addition of paragraph b to Cryptography Note for decontrol of hardware components for decontrolled mass market items Note to Cryptography Note which provides guidance on mass market concept Decontrol of personal area network equipment with a range up to 100 meters and max of 7 connections (EU: 30 meters) Note to 5E002 explicitly controls technical data from procedures carried out to evaluate or determine the implementation of category 5 controlled encryption 19

Some key EU v US Differences EU export controls do not apply extraterritorially, so no re-export controls EU export controls do not have a deemed export concept: export requires transfrontier movement 20

Some Key EU v US Differences (cont d) No up-front formal classification or registration requirement However, some EU countries maintain import controls, which require registration before import/use: Bulgaria (registration requirements for imports from outside the EU) France (registration requirements, plus reporting requirements for exports) Latvia (import licensing requirements for certain goods) Poland (reporting requirements) 21

Some Key EU v US Differences (cont d) Generally EU controls are a bright line: controlled or not controlled We have no equivalent to US anti-terrorism controls such as 5A992, 5D992, 5E992 But: bear in mind that some EU countries may introduce national controls in addition to the EU Dual Use Regulation Generally there is increased impact of human rights considerations for export licensing decisions 22

Some Key EU v US Differences (cont d) Many EU licensing authorities consider encryption for gov t use to be potential human rights issue Impact of human rights related criteria for military items EU Parliament resolution 23 October 2012 proposed: end use controls for items not on EU control list which are or may be intended ( ) for use in connection with a violation of human rights, democratic principles of freedom of speech ( ) by using interception technologies and digital data transfer devices for monitoring mobile phones and text messages and targeted surveillance of internet use ( ) Mandatory licensing requirement for non-control list items if there are human rights considerations. Restriction for UGEA005 (Telecoms Equipment) 23

Some Key EU v US Differences (cont d) Examples of encryption related human rights impact: Netherlands brokering controls require individual pre-notification of brokering for the supply of controlled items for sensitive countries (Afghanistan, Angola, Belarus, Birma, Congo, Egypt, Eitrea, Guinee, India, Irak, Iran, Israel, Ivory Coast, Lebanon, Liberia, Libya, North- Korea, Pakistan, Sudan, Syria, Zimbabwe, South-Sudan) Increased scrutiny by Dutch authorities of encryption exports to inter alia Lebanon German unilateral controls: 5A991 and 5D991 hardware and software for Terrestial Trunked Radio ( TETRA ) for Sudan. TETRA typically also applies encryption UK license refusals for encryption communications equipment The exception for the supply of certain encryption items to Iran under the EU sanctions was limited to 15 April 2013 24

EU Export Licensing Export is transfrontier transfer to non-eu destination Annex IV items also require license for intra-eu transfer Equipment, software and technology with/for cryptanalitic functions Transfers within EU may also require licence if known that the final destination is outside the EU and no processing or working is to be performed within the EU 25

EU Export Licensing The EU system has 2 types of licences: EU-level licences (i.e., the UGEA) National licences The national licences are subdivided into: Global (UK has specific OGEL for encryption items, Germany has AG16) Individual UGEA EU001 permits export of crypto hardware and software (excluding Annex IV) to Australia, Canada, Japan, Liechtenstein, New Zealand, Norway, Switzerland, and the US 26

EU Encryption Administrative Points EU: Article 20 - records of dual-use exports to be kept for at least 3 years (but national rules usually impose longer period) EU: Article 22 Control statement on commercial documents for intra-eu transfers EU: Article 22 - Member States may request additional information in respect of intra-eu transfers of information security items UK: maintain records for intra-eu tranfers France: declaration required for certain encryption items when transferred to EU country 27

Tips License exception ENC does not mean re-export of US items from the EU do not require an EU license Components for mass market encryption items still require an EU export license, although decontrolled in the US EU authorities do tend to follow US CCATS, but be mindful of the differences between EU and US Wassenaar implementation 28

Questions? John F. McKenzie San Francisco/Palo Alto +1 415 576 3033 john.mckenzie@bakermckenzie.com Jasper Helder Amsterdam +31 6 46 17 94 82 jasper.helder@bakermckenzie.com 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information