This snapshot taken on 02/10/2009, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.

We're creating a single website for everything to do with BIS but, while we do that, you'll find information in three places. > Find what you're looking for

 
 

Guidance on export of Cryptographic Items

This Guidance describes how the UK has applied the Cryptographic Note at Category 5 Part 2 of the List of Dual-Use Items and Technology which enables cryptographic items which meet certain conditions to be exported without a licence.

The CN is intended to decontrol cryptographic items sold to the general public for home, office or business use, just as other generally available goods such as magazines, books, videos, music CDs, etc are not controlled.

 

Details

The Cryptography Note (CN) reads as follows:

"5.A.2 and 5.D.2 do not control items that meet all of the following:

a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone order transactions;

b. The cryptographic functionality cannot easily be changed by the user;

c. Designed for installation by the user without further substantial support by the supplier; and

d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. to c. above."

 

Conditions

All four conditions (a.- d.) have to be met for the decontrol to apply. The fact that an item is marketed over the Internet, e.g., business-to-business, does not of itself mean that it qualifies for decontrol.  For example, cryptographic software and hardware products used to provide high end backbone infrastructure services, such as high capacity backbone routers, do not qualify as these items would normally require substantial support by the supplier.

 

Interpretation

The following interpretation is applied to the key phrases found in the CN:

  1. "retail selling points" are places where cryptographic items are readily available, for example:

    1. High street and warehouse shops which facilitate over-the-counter sales; and

    2. Companies which make sales via mail order, telephone, fax or Internet transaction. Purchases from such companies are made by reference to a mail order catalogue, magazine or newspaper advertisement, website, etc.; media which are generally available in their own right.

  2. "without restriction" means that a buyer may acquire a product by paying a standard fee to the seller. "Restriction" means, in this context, either that some persons are excluded from being allowed to buy, or that they are subject to conditions or limitations at the time of purchase, other than those normally arising from copyright, for example, conditions imposed in a software licence.
    Other examples of forms of "restriction" include a requirement to establish residence in an EU member state before purchase cxan be authorised, or a requirement for the purchaser to undertake that the goods will not be re-sold or given to any person or company from or in a particular country, or that installation must be undertaken only by authorised engineers.

  3. The cryptographic functionality cannot easily be changed by the user
    The manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification.

  4. "Installation by the user without further substantial support"
    Most mass-market products meet this requirement.  "Substantial support" does not include purely nominal installation support, such as provision of a telephone or an email help-line to resolve user problems.

  5. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. to c. in the CN above.
    As an exporter you need to keep records of those cryptographic items decontrolled by the CN, that are in your possession, or that you can reasonably be expected to obtain, recognising that you may not be the manufacturer or originator of the item. The list below is based upon that in Schedule 4 Part II of the Export of Goods, Transfer of Technology and Provision of Technical Assistance (Control) Order 2003 (SI 2003/2764)

    1. A general description of the item, such as might be contained in a product brochure.

    2. Descriptions of all relevant encryption algorithms and key management schemes, and descriptions of how they are used by the item (for example, which algorithm is used for authentication, which for confidentiality and which for key exchange); and details (for example, source code) of how they are implemented (for example, how keys are generated and distributed, how key length is governed and how the algorithm and keys are called by the software).

    3. Details of any measures taken to preclude user modification of the encryption algorithm, key management scheme or key length.

    4. Details of pre-or post-processing of data, such as compression of plain text or packetisation of encrypted data.

    5. Details of programming interfaces that can be used to gain access to the cryptographic functionality of the item.

    6. A list of any standards or protocols to which the item adheres.

    7. In addition, installation instructions accompanying the cryptographic item should also be kept.

For further details of strategic export controls, including copies of all current Open General Export Licences, please contact the ECO.

This notice is for information only and has no force in law. Please note where legal advice is required exporters should make their own arrangements.

Export Control Organisation

January 2006

Back to Top

© Crown copyright2009