Encryption Exports and Imports
Encryption is embedded in our everyday life. Our computers and cell phones, as well as the software programs that run on them, employ multiple encryption features. We encounter encryption when we withdraw cash from an ATM or bank or shop on-line.
Encryption is so pervasive, it can’t possibly be regulated for export and import – or can it? If encryption is embedded in a software program that is downloaded, it can’t be traced, so why even bother with compliance? If I am only using the encryption Apple offers in iOS, it can’t possibly be my problem…
Wait, what’s this notice at the Apple App Store?
To make your app available on the App Store, you must submit a copy of your U.S. Encryption Registration (ERN) approval from the U.S. Bureau of Industry (BIS).
Overview of Encryption Regulations
In fact, the United States and 40 other countries that are members of the Wassenaar Arrangement control an expanding list of products and technologies that implement encryption. A number of the Wassenaar member countries, like France and Russia, and some other countries, like Israel and China, regulate the importation of encryption products.
In some cases, the regulatory requirements are as simple as filing a notice or report, prior to exporting or importing encryption products. In other cases, there is a complex and non-deterministic licensing or permitting process.
Thomsen and Burke’s approach to compliance with the U.S. and other export and import requirements associated with export and import of encryption products starts with our Encryption Checklist (available to clients upon request).
Using the information from the Encryption Checklist, we can quickly and cost effectively analyze the optimal compliance strategy, under U.S. and foreign laws governing export and import of encryption products. Among the countries and agencies we deal with on are regular basis are the following:
- France’s Agence Nationale de la Sécurité des Systèmes d’Information
- Israel’s Ministry of Defense
- Hong Kong’s Trade and Industry Department
- Russia’s Federal Security Service
- Japan’s Ministry of Economy, Trade and Industry
- China’s State Encryption Management Bureau
- South Africa’s Department of Communications
- Poland’s Internal Security Agency
Although the rules in each jurisdiction may be idiosyncratic, we have found that the comprehensive knowledge that we gain by the answers supplied in a completed Encryption Checklist generally is sufficient to complete the notice, registration, application and other requirements associated with the export and import of encryption products.
In some countries, like France and Israel, we can prepare and submit applications and interface directly with the regulatory authorities providing end-to-end service. In other countries, like Hong Kong, we can prepare applications for submission by the importer of record.
A typical case involving an App released on the Apple App Store might involve three (or more) filings:
- A Registration with the U.S. Commerce Department’s Bureau of Industry and Security under the Export Administration Regulations;
- A Declaration to the French Agence Nationale de la Sécurité des Systèmes d’Information; and
- A “Free Means” application to the Israeli Ministry of Defense
The cost of non-compliance with the encryption regulations can be steep. Recently, Wind River/Intel paid a fine in the amount of $750,000.00 and Barracuda Networks paid a fine in the amount of $1,500,000.00 to settle charges of violating the U.S. export control laws on encryption products.
Keeping current with all of the laws and regulations governing the export and import of encryption products is challenging, but there are some resources that may help:
- The Alliance for Network Security is a trade association devoted exclusively to laws and regulations governing the export and import of encryption products .
- The American Conference Institute’s Global Cryptography, Cloud Computing and Cybersecurity Conference provides a good networking opportunity for practitioners in this field.
- The Crypto Law Survey can be a useful on-line repository of information by country, but is not necessarily accurate or up-to-date for all countries.
- The Wassenaar Arrangement has a list of participating states with links to their export control authorities.
Encryption can be found in an increasing number of products. In many cases, the regulatory compliance burden is modest. Penalties can be severe. Thomsen and Burke’s Encryption Checklist (available to clients upon request) can be an essential tool in complying with U.S. and foreign laws and regulations governing the export and import of Encryption Products.
Disclaimer: This document may be considered Attorney Advertising. It is provided for informational purposes only and is not to be considered legal advice. Its distribution does not establish an attorney-client relationship. Each situation is unique and the techniques used will differ depending on the facts and circumstances. Therefore, this document does not describe the work that may performed in any particular matter.