sbaker@steptoe.com
Michael D. Hintze
mhintze@steptoe.com
July 1997
This article was originally published in the Spring 1997 edition of The Canadian Law Newsletter (a publication of the Committee on Canadian Law, Section of International Law and Practice, American Bar Association).
Introduction
Encryption, the process of converting information into an unreadable form by the application of mathematical formulae, has become in recent years a highly controversial subject of government regulation. On the one hand, law enforcement and national security agencies are concerned about criminals and terrorists being able to encrypt communications and data so that, even if intercepted, they would be unreadable. On the other hand, the growth of the Internet and electronic commerce have created a market demand for encryption products that can make electronic communications secure - and industry is anxious to meet this demand.
In both the United States and Canada, export controls are the principle means used in the governments' effort to stem the spread of unbreakable encryption. In most cases, Canada controls the export of encryption to the same extent and in the same ways as does the United States.1 Individual licenses are required for the export of encryption equipment, software, and technology. These controls also encompass the provision of technical data and technical assistance related to cryptography.
However, there are several significant differences between Canadian controls and U.S. controls. These differences involve the provision of technical assistance to foreign persons, the maximum key length for encryption products that are freely exportable, and the treatment of mass market and public domain software. In each of these areas, Canadian controls are, to some degree, more permissive than the corresponding U.S. controls.
Canadian Export Controls on Encryption
Category 1150 of Group 1 of Canada's Export Control List ("ECL") controls essentially the same encryption items that are controlled in the United States. Item 1151 controls cryptographic systems, equipment and components; Item 1154 controls cryptographic software; and Item 1155 controls encryption "technology."
Controls on Cryptographic Hardware and Software
Item 1151 controls "[s]ystems, equipment, application specific 'electronic assemblies', modules or integrated circuits . . . and other specially designed components therefor" that are, inter alia, designed or modified to perform cryptoanalytic functions or to use cryptography to ensure information security.
Item 1154 controls software that performs any of the functions of the controlled cryptographic equipment or that is "specially designed or modified for the 'development', 'production' or 'use' of equipment or 'software' controlled by Category 1150.
Additionally, it is important to note that Canada's controls under Items 1151 and 1154 include not just items that perform cryptographic functions, but also items that are "designed or modified to use" cryptography. This broad language includes the same category of items that are controlled by the United States as "crypto with a hole." Thus, if a software product, for example, contains a "call" or an Application Programmer's Interface ("API") specifically designed for the insertion of encryption, the product will be controlled in the same way as if the encryption were already installed.
There are, however, a number of specific exclusions from these controls. These exclusions include equipment and software in which the cryptography is limited to:
(1) certain personalized smart cards that are not capable of encrypting message traffic or user-supplied data;
(2) fixed data compression or coding techniques;
(3) certain receiving equipment (e.g., set top decoders) for restricted audience radio, cable, or satellite broadcasts;
(4) cellular telephones and similar equipment that are not capable of end-to-end encryption;
(5) decryption functions that allow for the execution of copy-protected software;
(6) access control through the encryption of passwords or personal identification number ("PIN") codes in devices such as automatic teller machines ("ATMs") or point of sale terminals;
(7) data authentication or digital signature functions;
(8) cryptographic functions specifically designed for and restricted to machines for banking of money transactions such as ATMs; and
(9) cryptographic processing using analog techniques in certain broadcast and fax equipment.
Controls on Cryptographic Technology
The Canadian controls on encryption "technology" include any information that is necessary for the development, production or use of controlled cryptographic equipment or software. The definition of "technology" encompasses both "technical data" and "technical assistance."5 These terms are defined the same way as in the U.S. regulations.6 Technical data "may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices."7 Technical assistance "may take forms such as instruction, skills, training, working knowledge, [or] consulting services.
According to one Canadian official familiar with the licensing of encryption exports, it is not the policy of the Canadian government to control technical knowledge possessed by people. Only tangible items require export licenses. This is a significant difference from U.S. policy.
In the United States, intangible technical knowledge is explicitly controlled. The regulations state that a license is required for a U.S. person to "provide technical assistance (including training) to foreign persons with the intent to aid a foreign person in the development or manufacture outside the United States of encryption commodities and software that, if of United States origin, would be controlled."9 The U.S. government interprets this to mean that a technical assistance license would be required for a U.S. company to send employees to provide training or assistance to foreign persons in the development or manufacture of encryption items, even where the assistance is based only upon the personal knowledge possessed by the U.S. person. This is true even for internal personnel transfers to a company's foreign facilities.
Under the Canadian policy, by contrast, a license would not be required for Canadian engineers to travel abroad and assist in the development of encryption products or technology, so long as tangible items such as printouts of source code, computer disks containing code or technical information, etc., are not taken out of Canada. However, a company should obtain formal assurances from the Canadian government before relying on this policy. Canada's interpretation of its regulations could change, and the language of those regulations, especially the definition of "technical assistance," clearly allows the control of intangible personal knowledge.
Canadian Licensing Policy -- Key Length and End Use
Applications for encryption export permits are reviewed by Canadian authorities on an individual basis. An examination of foreign policy and security concerns is undertaken, and the type of goods exported, the ultimate destination of the goods, and the intended use of the goods are taken into consideration. According to Canadian export control officials, the policy considerations used in reviewing export permit applications for encryption products and technology are not much different from those employed in the United States.
As in the United States, encryption items that use a key no longer than 40 bits are readily approved for export. However, Canada is now also approving the export of 56-bit products. This recent change in policy was in response to the new U.S. policy on 56-bit exports. The United States now allows the export of 56-bit encryption items, but only for exporters that submit a plan demonstrating a commitment to the development of encryption products that incorporate "key-recovery" features.10 Because Canada has not endorsed the "key recovery" approach to government access, it has not put this limitation on the approval of 56-bit encryption exports. However, Canada is studying various approaches to ensuring lawful access to plain text data and may require companies to implement whatever approach is selected in order to be eligible for export permits after 1997. For this reason, export permits for 56-bit products must be renewed after only one year. Export permits for encryption items are normally valid for two years.
As in the United States, Canadian policy is to approve stronger encryption products for certain uses and users. For example, stronger products may be approved if the intended use is to protect the internal communications of Canadian or U.S. companies, or to protect financial information communicated by banks. According to one official, Canadian authorities will approve whatever strength they determine is appropriate for the intended use and/or user.
Mass Market Software Exception
The major difference between the scope of Canadian controls and U.S. controls is the applicability in Canada of the General Software Note. The General Software Note, located at the beginning of Group 1 of the ECL, decontrols mass market software or software that is in the public domain. A software product would fall within the exception for mass market software only if it is:
a. Sold from stock at retail selling points, without restriction, by means of:
1. Over-the-counter transactions;
2. Mail order transactions; or
3. Telephone transactions; and
b. Designed for installation by the user without further substantial support by the supplier.
A software product is "in the public domain" if it has "been made available without restrictions upon its further dissemination."13 A note accompanying this definition states that "copyright restrictions do not remove . . . 'software' from being 'in the public domain'."14 Thus, cryptographic software that meets the above criteria is generally decontrolled, regardless of algorithm or key length.
The U.S. Export Administration Regulations do contain a version of the General Software Note, but encryption software is specifically excluded from its scope.15 However, mass market software that contains encryption limited to 40-bit key lengths can, after a one-time review, be released form the normal encryption controls and thereby become eligible for mass market treatment under the General Software Note.
Canadian Export Controls On U.S. Origin Goods
United States origin goods that are not otherwise controlled under Canadian rules are controlled for re-export from Canada under Item 5400 of the ECL. In other words, Canadian law requires that a permit be obtained to export U.S. origin goods. Additionally, according to a government-issued booklet on export controls:
- exporters may be required to provide a copy of a U.S. export license or verification that such goods may be exported to the specified country without the U.S. license, prior to issuance of an individual export permit.
Thus, encryption items that are not otherwise controlled under Canadian regulations, such as mass market cryptographic software, may be controlled under this category if they contain U.S. origin content.
However, Item 5400 does not apply to goods used "in the production of new goods" or "goods that have been further processed or modified outside the United States so as to result in a substantial change in value, form or use of the goods."18 According to officials of the Canadian government, the rule of thumb is that if more than 50% of the actual value of a good is due to work done outside the United States, then the good is not considered to be of U.S. origin. This figure, however, is not mandated by Canadian law, and products with a lower percentage of U.S. content may be carefully scrutinized before export approval is granted or denied.
Moreover, it is important to point out that this distinction is from the perspective of the Canadian government. Even if an item falls outside the scope of Canadian export controls, it can still be controlled as a re-export under U.S. law -- and U.S. law does not have a minimum U.S. content rule.
Under normal U.S. Commerce Department procedures, there is a "de minimis" rule which applies to controlled U.S. technology that is exported to one country, incorporated into another (foreign) product there, and then re-exported to a third country. Currently, the Commerce Department does not require a license for the re-export if the controlled U.S. content of the foreign product constitutes no more than 10-25% of the foreign product's total value (depending on the destination of the re-export).19 However, the new U.S. encryption regulations make it clear that the "de minimis" rule does not apply to the re-export of foreign-origin items that incorporate controlled encryption items and technology.20 What this means is that a Canadian encryption product that contains any U.S. content at all will be controlled by U.S. law as a "re-export" from Canada.
Thus, for example, a Canadian mass market encryption software program that contains 50% or more of U.S. content will likely be controlled by Canadian controls on the export of U.S.-origin goods, and by U.S. controls on the re-export of encryption. A similar product that contains only 10% U.S. content will probably not be controlled by Canadian law, but will remain subject to U.S. controls on re-exports. If the mass market software product contains no U.S. content at all, it should be exportable from Canada free of both U.S. controls and Canadian controls on U.S. origin goods.
Canadian Export Licensing Procedures
Nearly all exports of controlled encryption require an individual export permit. Applications are made to the Department of Foreign Affairs and International Trade ("DFAIT") using a standard form. Applications are normally reviewed in consultation with an interdepartmental advisory group.
According to Canadian export control officials, every effort is made to process permit applications in 10 working days. For technology with which the authorities are familiar, this goal is generally met. For initial reviews of proprietary algorithms and other unfamiliar technology, however, the processing times can be somewhat longer.
Summary
Canadian controls on the export of encryption equipment, software, and technology are, for the most part, equivalent to U.S. controls. Unlike the United States, however, Canada allows companies (at least for the time being) to export 56-bit products freely without committing themselves to the development of key recovery technologies. Canada's controls on the provision of technical assistance also appear to be somewhat more narrow than those of the United States. Finally, Canada's export controls on encryption contain a major exception for mass market and public domain software. However, such products may be re-controlled by both Canadian law, and/or be subject to U.S. controls on re-exports, if the products contain any U.S.-origin content.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
For further information please contact L. Benjamin Ederington on Tel: +202-429-6411, fax: 202-429-3902 or E-mail: bedering@steptoe.com.
