What is Export/Import Control on Encryption?

CyberPeace Alliance
Nov 2 · 9 min read

Encryption is used to protect all our online transactions- both monetary and non-monetary. It is fundament to have strong encryption to secure our data online and keep our devices from ‘third party access’. Technically, encryption is an algorithm that converts data into an encrypted format. So, can this encryption be subjected to export/import control? If so, how?

“To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS).”

All the softwares are subjected to imposition of export control regulation. There are national authorities in all developed nations that monitor the control of encryption. This encryption control regime is important to prevent cybercrime. Due to this export control regimes we see constant new challenges from cybercriminals, who seek to discover new ways and means to circumvent controls. However, the inherently global nature of information and communication networks makes the task of export control enforcement quite difficult and the difficulties of defining and enforcing jurisdictional boundaries in the international environment become more and more evident.

Considered in these terms, it is clear that the development and widespread deployment of cryptography that can be used to deny government access to information represents a challenge to the balance of power between the government and the individual.

Encryption functions can be both hardware and software based. Usually the same rules apply to hardware and software, because in Wassenaar Arrangement, which is the principal foundation to all encryption software export control regimes around the world, controlled information security products are controlled or relaxed from controls principally on the basis of the method used.

Several countries including China, Israel, and Russia have import restrictions on cryptography. Some countries require vendors to obtain a license before importing cryptographic products. Many governments use such import licenses to pursue domestic policy goals. In some instances, governments require foreign vendors to provide technical information to obtain an
import license. This information is then used to steer business toward local companies. However, there have been cases where governments have been accused of using this same information for outright industrial espionage.

International Regulation on Export/Import of Encryption — Role of the Wassenaar Arrangement

Internationally, export controls are the strongest tool used by governments to limit development of encryption products. Increasingly, they have generated controversy because they pit the needs of national security to conduct signals intelligence against the information security needs of legitimate businesses and the markets of manufacturers whose products might meet these needs.

Some countries take advantage of the lack of controls in their countries. One result of this has been the emergence of small companies, in many countries without restrictions, which produce encryption products. Another result has been companies moving their encryption production divisions overseas to countries with fewer controls, such as Switzerland or Anguilla, a British self-governing territory in the Caribbean.

“Switzerland will keep its efficient export permit process for cryptographic goods in order to encourage Swiss exports to increase their sales and share worldwide while being mindful of national security interests.” — Switzerland officials have stated according to Cryptography and Liberty 1999

Although Switzerland is member of Wassenaar Arrangement(WA), it is pursuing very liberal crypto policy, under full compliance with its provisions. It must be recognized that all the other WA member countries also had their national economic interests in mind when they joined it. Had they deemed it detrimental to their national interests they probably would not have joined.

Logo of the Wassenaar Arrangement

Also bringing into perspective of the initial elements, the WA is established in order to ”prevent the acquisition of … sensitive dual- use items for military end uses, if the situation in a region or the behavior of a State is, or becomes, a cause for serious concern to the participating States.” Encryption technology is subjected to this provision as it is dual-use item. It is important to keep in mind that the ultimate goal of export controls on cryptography is to keep strong cryptography out of the hands of potential targets of signals intelligence. Some WA participating States have very powerful SIGINT bodies, capable of eavesdropping large amounts of communication all over the world.

The stated goal of the Wassenaar Arrangement was “to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies.” Cryptography is classified as a dual-use good. The Wassenaar Arrangement makes symmetric cryptography products of up to 56 bit key length, and asymmetric cryptography products of up to 512 bit key length, free from export restriction.

Furthermore, the Wassenaar Arrangement includes a personal-use exemption, allowing individuals who travel abroad to carry with them cryptography devices for their personal use. However, cryptography products that do not fall into these exemptions are still eligible for restriction. The Wassenaar Arrangement sets general parameters for import and export control to which member states largely adhere; however, the Wassenaar controls are not binding on member states and are implemented at the discretion of member governments

National Export/Import Control Regulation

Most major countries regulate encryption, to varying degrees. Encryption is regulated because it is a “dual-use” technology; that is, it has both commercial and military value. The United States pioneered the efforts to regulate encryption during the Cold War. Since then, U.S. encryption regulation has been driven by two competing concerns:

“(1) the ability of American high-tech industries to compete in foreign markets; and

(2) the ability of criminals and terrorists to threaten national security through the use of strong encryption.”

However, other countries’ encryption regulations may be meant to serve other ends, e.g. the monitoring and restriction of domestic speech. This regulatory patchwork creates substantial challenges and risks to firms operating internationally. In an effort to harmonize regulations on the export and import of dual-use technologies, many countries have come together and agreed to a set of principles known as the Wassenaar Arrangement.

How Cryptography is Regulated in the United States of America?

The United States of America, in addition to being the current primary producer of information-technology and security products today, also has among the most well-developed and documented laws regarding encryption. Hence, American encryption regulation is a useful place to begin an inquiry into the global framework of encryption regulation. The United States does not place any restriction on the domestic use, creation, or sale of encryption products domestically.

Logo of the Security and Exchange Commission- USA

Furthermore, there is no restriction on the importation of cryptography systems. The exportation of encryption products, however, has historically been heavily restricted, and although the restrictions have been eased in recent years in many respects, the regulations still present obstacles and risks to U.S. businesses operating overseas.

Regulations on Use
The U.S. does not restrict the domestic use of cryptography. Furthermore, a federal district court has held that there is no obligation to reveal one’s encryption key or password in the context of a criminal investigation.

However, a recent case has held that, while a defendant cannot be compelled to provide his or her decryption key or password, he or she can be compelled to provide unencrypted copies of the files or documents in question under certain circumstances.

The export of encryption products from the United States is regulated by a variety of governmental agencies. The primary regulator of encryption exports is the Commerce Department’s Bureau of Industry and Security (BIS), which administer the Export Administration Regulations (EAR). The EAR governs the export of any dual-use commodities, including encryption systems. Encryption products are regulated under Category 5, Part 2 of the EAR. Generally, if an item to be exported uses or contains cryptography, is not designed for medical end use, and does not limit the use of cryptography to intellectual property or copyright protection functions (as with a DVD), then the item is regulated under Category 5, Part 2. The regulations governing
cryptography export have been relaxed in recent years, but still require exporters to determine for themselves the licenses and other documentation required for their software exports, taking into account the software to be exported, the person or entity to whom the software is being sold, and additional factors.

How is Cryptography regulated in the European Union?

Cryptography in the European Union (EU), like in the U.S., is free to use domestically, but faces restriction on its export. Council Regulation (EC) No. Regulates export of dual-use goods — which includes cryptography — 1334–2000. These regulations follow the Wassenaar Arrangement. Export within the European Union is fully liberalized. Exports to a select group of non-EU
countries are lightly regulated, and exports to remaining countries are more heavily regulated.

The European Union has been a long-time advocate of free domestic use of strong cryptography. In the 1990s, the Clinton Administration pursued several international initiatives aimed at encouraging — or even mandating — key escrow. The EU, through the European Commission, took a stance against those proposals. The Commission “stressed the economic and societal importance of cryptography,” and noted that “key escrow or key recovery raise a number of practical and complex questions that policy makers would need to solve, in particular issues of privacy, vulnerability, effectiveness and costs.”

Hence, European support for the free use of encryption and opposition to mandatory key escrow proved critical to the continued development of strong cryptography.

How is Cryptography Regulated in China?

China is one of the most challenging environments for cryptography use and regulation. Importation and exportation of cryptography products are both highly regulated. Import and export of encryption products require a license from the State Encryption Management Commission.

Primarily the National Commission on Encryption Code Regulations (NCECR) regulates encryption. Encryption products cannot be sold or imported in China without prior approval by NCECR. Furthermore, individuals and firms in China can only use cryptography products approved by the NCECR. This also applies to foreign individuals and firms operating in China, who must report details of their encryption systems to, and receive approval to use
those products from, the NCECR.

Also China’s Cybersecurity Law gives provision for regulation of encryption technology.

How is Cryptography Regulated in India?

In India, the Information Technology (Amendment) Act, 2008 provides for encryption underSection 84A, which reads as follows: “84A. The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.”

Encryption policy under this section is urgently required as a national policy, since at present encryption is restricted to 40-bits under the telecom licensing policy regime. This level of encryption is weak, and does not promote client confidence — clients require strong encryption for data protection and privacy protection. The government, however, has legitimate need to access encrypted data for monitoring of suspected criminals and terrorists in that, which is considered as lawful interception. Encryption policy, therefore, requires consideration of various technical issues, national security issues, business privacy, and international competitive pressures for the growth of e-commerce and e-governance applications. Continued economic growth of Indian industries and business in an increasingly global economy requires availability of cryptography to all legitimate users that include employees and business associates of the corporate sector.

Data Security Council of India (DSCI) is a premier industry body on data protection in India, setup by NASSCOM, committed to making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cyber security and privacy. DSCI brings together national governments and their agencies, industry sectors including IT-BPM, BFSI, Telecom, industry associations, data protection authorities and think tanks for public advocacy, thought leadership, capacity building and outreach initiatives.

To further its objectives, DSCI engages with governments, regulators, industry associations and think tanks on policy matters. To strengthen thought leadership in cyber security and privacy, DSCI develops best practices and frameworks, publishes studies, surveys and papers. It builds capacity in security, privacy and cyber forensics through training and certification program for professionals and law enforcement agencies and engages stakeholders through various outreach initiatives including events, awards, chapters, consultations and membership programs. DSCI also endeavors to increase India’s share in the global security product and services market through global trade development initiatives. These aim to strengthen the security and privacy culture in the India.

CyberPeace Alliance

Written by

This is a joint program initiated by Cyber Peace Foundation, in association with the Ostrom Workshop, Indiana University

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade