On 8th May 2018, the Hong Kong government issued Strategic Trade Controls Circular No. 6/2018 (‘the 2018 Circular’), Import and Export of Encryption Products, in order to “remind traders of the licensing requirements for the import and export of encryption products”.
Encryption products are commonplace – virtually all commercially available, digital telecommunications devices (the smartphone in your pocket) contain elements of cryptographic software. Often, ingenious and successful software products are little more than a ‘wrapper’ round existing commercially available but less user friendly, or less well marketed, products that, nonetheless, contain cryptographic elements.
The 2018 Circular states that:
“Encryption products are controlled under the Wassenaar Arrangement*, an international control regime overseeing the controls over the transfer of both munition items and dual-use goods and technology. Accordingly, encryption products may fall under “Category 5, Part 2 – Information Security” of the Dual-use Goods List of Schedule 1 to the Regulations. Import and export of the encryption products so specified are subject to licensing control.”
The original Wassenaar rules threatened to interfere with collaborative attempts by international security and intelligence organisations to slow down rapidly spreading malware outbreaks. They also gave rise to considerable confusion, and a consequent administrative burden on the state and on business, in relation to the licensing of encryption products. After four years of discussion and lobbying, Wassenaar updated its rules on 6th December 2017. The 2018 Circular reflects and implements that update.
In Hong Kong, trade in strategic goods is controlled by the Import and Export Ordinance, Chapter 60, Laws of Hong Kong, and the Import and Export (Strategic Commodities) Regulations (Cap. 60 sub. leg. G) (‘the Regulations’).
Strategic goods are defined by inclusion in four schedules made under the Regulations.
In order, lawfully, to import or export any strategic goods, a licence is required from the Director-General of Trade and Industry.
The Regulations impose control over encryption products with a symmetric key length above 56-bits, however, exemptions are granted for products, of whatever key length, provided that they fall under one of the following scenarios:
i. accompanying the user, for the user’s personal use; or
ii. meeting all of the following conditions:
a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
– Over-the-counter transactions;
– Mail order transaction;
– Electronic transactions; or
– Telephone call transactions;
b. The cryptographic functionality cannot easily be changed by the user;
c. Designed for installation by the user without further substantial support by the supplier; and
d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) to (c) above.
The factors that the licensing / enforcement authority will take into account in determining “general availability” are: quantity, price, required technical skill, existing sales channels, typical customers, and, typical use or any exclusionary practices of the supplier.
Category 5-Part 2 does not apply to items incorporating or using cryptography and meeting all of the following conditions:
(a) The primary function or set of functions is not any of the following:
(1) “Information security”;
(2) A computer, including operating systems, parts and components of the computer;
(3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management);
(4) Networking (includes operation, administration, management and provisioning);
(b) The cryptographic functionality is limited to supporting their primary function or set of functions;
(c) When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) and (b) above.
One way or another, the smartphone in your pocket satisfies the exemption test and/or falls without Category 5-Part 2. With more esoteric and/or less commonly available products, the analysis is more nuanced and failure to obtain a licence or to satisfy an exemption gives rise to criminal liability.
Further to the Wassenaar Arrangement’s new rules, the UK government has also recently published guidance ‘to assist exporters to make their own assessment on the application of the “Cryptography Note” – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).’
As in Hong Kong, and deploying a common language, excluded goods may be exempted from control, provided that they:
However, the UK guidance comes with a warning:
“[An] item’s control list classification cannot be worked out solely from the classifications of individual component parts. For example, a product using freely available open-source cryptographic software libraries may still be controlled. This is despite the fact that such libraries are often decontrolled in their own right.” The same applies to freely available encryption algorithms. “[A] product may still be controlled, and is not removed from control solely because the encryption algorithm it uses is freely available.”
So far as enforcement is concerned, the HK government publishes useful, general guidance for importers and exporters.
“An internal compliance programme involves a company’s commitment that its products will not be diverted to or used in weapons of mass destruction programmes. Vast majority of traders have no desire that their products be so used and wish to avoid such a possibility as much as they can. Implementation of an effective internal compliance programme is one way to demonstrate and ensure that this is the case.”
Such guidance goes further to describe the core elements of an adequate compliance programme, including: a policy commitment to compliance; and, the integration of quality and management practices, involving,
Businesses are also advised to be alive to ‘Red Flags’ – indicators that there may be end-user concerns necessitating further due diligence or a cessation of trade / suspension of relationship. Importers and exporters should be cautious if they encounter any of the following behaviours:
Importers and exporters should look again at their goods, customers and consignment practices to avoid obvious pitfalls leading to criminal liability and enforcement action.
*Countries subscribed to the Wasenaar Arrangement are: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, India, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, the Netherlands, New Zealand, Norway, Poland, Portugal, the Republic of Korea, Romania, the Russian Federation, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Ukraine, the United Kingdom and the United States.
SUMMARY In 2017 a 24-year-old woman, Louella Fletcher Michie, died at the Bestival Music Festival,…
Camilla Fayed was declared not guilty of robbery after the prosecution offered no evidence. Camilla…