|
This
Guidance describes how the UK has applied the Cryptographic
Note, at Category 5 Part 2 of the List of Dual-Use Items and
Technology which enables cryptographic items which meet
certain conditions to be exported without a licence.
The Cryptography Note (CN) reads
as follows:
5.A.2 and 5.D.2 do
not control items that meet all of the following:
a. Generally available to the
public by being sold, without restriction, from stock
at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions;
or
4. Telephone order transactions;
b. The cryptographic functionality
cannot easily be changed by the user;
c. Designed for installation
by the user without further substantial support by the
supplier; and
d. When necessary, details of
the items are accessible and will be provided, upon request,
to the appropriate authority in the exporter’s country
in order to ascertain compliance with conditions described
in paragraphs a. to c. above.
The CN is intended to decontrol cryptographic items sold to the general public
for home, office or business use, just as other
generally available goods such as magazines, books, videos,
music CDs, etc are not controlled.
All four conditions (a.- d.) have to
be met for the decontrol to apply. The fact that an item is
marketed over the Internet, e.g., business-to-business, does
not of itself mean that it qualifies for decontrol.
For example, cryptographic software and hardware products
used to provide high end backbone infrastructure services,
such as high capacity backbone routers, do not qualify as
these items would normally require substantial support by
the supplier.
The following interpretation is applied
to the key phrases found in the CN:
(1) "retail selling points"
are places where cryptographic items are readily available, for example:
- High street and warehouse shops
which facilitate over-the-counter sales; and
- Companies which make sales via
mail order, telephone, fax or Internet transaction.
Purchases from such companies are made by reference
to a mail order catalogue, magazine or newspaper advertisement,
website, etc.; media which are generally available
in their own right.
(2) "without restriction" means that a
buyer may acquire a product by paying
a standard fee to the seller. "Restriction"
means, in this context, either that some persons are excluded
from being allowed to buy, or that they are subject
to conditions or limitations at the time of purchase,
other than those normally arising from copyright, for example,
conditions imposed in a software licence.
Other examples of forms of
"restriction" include a requirement to establish residence
in an EU member state before purchase cxan be
authorised, or a requirement for the purchaser to
undertake that the goods will not be re-sold or given to
any person or company from or in a particular country,
or that installation must be undertaken only by authorised engineers.
(3) The
cryptographic functionality cannot easily be changed by
the user
The manufacturer has taken reasonable
steps to ensure that the cryptographic functionality in
the product can only be used according to their
specification.
(4) "Installation by the
user without further substantial support"
Most mass-market products meet this
requirement. "Substantial support" does not
include purely nominal installation
support, such as provision of a telephone or an e-mail help-line to resolve
user problems.
(5) When necessary, details of
the items are accessible and will be provided, upon request,
to the appropriate authority in the exporter’s country
in order to ascertain compliance with conditions described
in paragraphs a. to c. in the CN above.
As an exporter you need to keep
records of those cryptographic items
decontrolled by the CN, that are in your possession,
or that you can reasonably be expected to obtain,
recognising that you may not be the manufacturer or
originator of the item. The list below is based
upon that in Schedule 4 Part II of the Export of Goods,
Transfer of Technology and Provision of Technical
Assistance (Control) Order 2003 (SI 2003/2764)
(a) A general description of the item,
such as might be contained in a product brochure.
(b) Descriptions of all relevant
encryption algorithms and key management schemes, and descriptions
of how they are used by the item (for example, which algorithm
is used for authentication, which for confidentiality and
which for key exchange); and details (for example, source
code) of how they are implemented (for example, how keys
are generated and distributed, how key length is governed
and how the algorithm and keys are called by the software).
(c) Details of any measures
taken to preclude user modification of the encryption algorithm,
key management scheme or key length.
(d) Details of pre-or post-processing
of data, such as compression of plain text or packetisation
of encrypted data.
(e) Details of programming
interfaces that can be used to gain access to the cryptographic
functionality of the item.
(f) A list of any standards
or protocols to which the item adheres.
(g) In addition, installation
instructions accompanying the cryptographic item should
also be kept.
For further details of strategic
export controls, including copies of all current Open General
Export Licences, please contact:
ECO Helpline
Department of Trade and Industry
3rd Floor, Kingsgate House
66-74 Victoria Street
London
SW1E 6SW
Tel: 020 7215 8070
Fax: 020 7215 0531
e-mail: eco.help@dti.gsi.gov.uk
This notice is for information only
and has no force in law. Please note where legal advice
is required exporters should make their own arrangements.
Department of Trade and Industry
Export Control and Non-Proliferation
Directorate
January 2006
|
