UK Unpacks Encryption Controls
Despite the fact that export controls on dual-use goods derive from international agreements such as the Wassenaar Arrangement, significant differences can be seen as controls are implemented by different countries. The same is true in the European Union notwithstanding the fact that the EU’s dual-use regulation (Council Regulation (EC) No. 428/2009) is binding on its 28 Member States. Accordingly, while Regulation 428/2009 exempts telecom and information security equipment with encryption where there is limited cryptography functionality and/or products are mass-marketed and cannot be readily changed (the “Cryptography Note”), the exact scope of the exemptions is determined by each Member State.
On 3 April 2018, the UK released guidance on the application of the Cryptography Note to help exporters assess whether a licence is necessary. The guidance clarifies that to qualify for exemption under the Cryptography Note, the product must be intended for general public use and cannot be sold with limitation or qualification of the purchaser. However, a product used by a specific group, such as items that are customised in accordance with a standard list of options, which can be also used by a wider range of industries may be exempt from controls. Further, the guidance clarifies the requirement that exempt products must be able to be installed by the public without assistance from specialists. It states that optional on-site installation support from the retail outlet, provision of installation instructions that are included in the product packaging, and/or assistance through a helpline or website where non-proficient users can ask questions about installation instructions do not necessarily disqualify the product from exemption. Finally, the guidance clarifies that offering an option to select algorithms from a pre-set list, or the ability to switch the function on or off would not disqualify a product from exemption relative to the requirement that the cryptographic functionality must be simple to manage to meet the requirements of the Cryptography Note.
In addition, the guidance addresses the applicability of controls to hardware components and executable software for devices discussed above. It includes a list of items that would generally be exempt from controls such as wifi chips designed for an existing model of tablet or wearable device, and GSM modems because their main purpose is not information security. The guidance cautions, on the other hand, that a crypto acceleration co-processor or chips with built-in tamper defence would not qualify for exemption. Other caveats are flagged.
As the UK heads toward Brexit and autonomous implementation of international obligations, this clarification of its views on which encryption technology should not be subject to export controls will be welcome for UK manufacturers and companies placing products on the UK market.