Notice to exporters 2018/07: guidance on the ‘Cryptography Note’
Published 3 April 2018
This guidance is provided to assist exporters to make their own assessment on the application of the ‘Cryptography Note’ – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).
Products that use cryptography are typically controlled under the dual use list. Note 3 is intended to exclude goods from control that:
can be easily acquired by the general public
require little or no support to install
where the cryptographic functionality cannot be easily changed by the user
Note 3 also relaxes controls on certain components and software of such items.
Note 3 is found at the beginning of Category 5 part 2, ‘Information Security’, of the EU dual use list. There are various other notes within Category 5 part 2, which decontrol specific technologies, but are separate and distinct from Note 3.
If you’re not sure whether Note 3 applies to one of your products, you can consider applying for an export licence. Include in your application all product details that are relevant to issues discussed here. As stated in Note 3, the licensing authority may request more information as evidence of eligibility.
If Note 3 applies to a hardware or software item, then it is released from control under sections 5A002 and 5D002 of Category 5 Part 2. But it may still be controlled elsewhere in the EU Dual Use or UK Military Lists and may still be subject to end-use controls, ‘catch all’ controls and sanctions. If none of these apply, then no licence is required to export that item from the UK.
A very important general principle of control in Category 5 Part 2 is that a product is classified on the basis of its functionality and characteristics and considered as a standalone item. The item’s control list classification cannot be worked out solely from the classifications of individual component parts. For example, a product using freely available open-source cryptographic software libraries may still be controlled. This is despite the fact that such libraries are often decontrolled in their own right (by the General Software Note, for example).
Equally, if a product uses an algorithm for which the specification is public, such as AES (Advanced Encryption Standard) or RSA (Rivest–Shamir–Adleman), the product may still be controlled, and is not removed from control solely because the encryption algorithm it uses is freely available.
The note is subdivided into two parts, 3a and 3b.
Note 3a exempts from control under sections 5A002 and 5D002 items that meet all of the following:
1 Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
a. Over-the-counter transactions;
b. Mail order transactions;
c. Electronic transactions; or
d. Telephone call transactions;
2 The cryptographic functionality cannot easily be changed by the user;
3 Designed for installation by the user without further substantial support by the supplier; AND
4 When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs 1. to 3. above.
In addition the following Note clarifies the interpretation of Note 3a:
Note to the Cryptography Note:
1 To meet paragraph a. of Note 3, all of the following must apply:
a. The item is of potential interest to a wide range of individuals and businesses; and
b. The price and information about the main functionality of the item are available before purchase without the need to consult the vendor or supplier. A simple price enquiry is not considered to be a consultation.
2 In determining eligibility of paragraph a. of Note 3, competent authorities may take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier.
Examples of items commonly removed from control by Note 3a include:
general purpose consumer operating systems
home-use networked devices such as broadband routers, smart TVs and games consoles
components for consumer desktop PCs, such as CPUs and graphics cards, which are designed for installation by the general public
Note 3a general principles
The principles below describe in more detail some of the factors considered when determining if a product is eligible for Note 3. An exporter may be asked to provide further detail about the product to determine eligibility (Note 3a, paragraph 4). In this case the licensing authority will contact the exporter to request the information required.
Availability – Note 3a paragraph 1
An item is normally considered generally available to the public if it is sold:
without limitation or qualification of the purchaser
intended for use by the general public
the seller does not discriminate between buyers
Limitations such as standard end-user licence agreements or copyright requirements would not necessarily prevent an item from being Note 3a eligible. But as the clarifying note says, price and information about the item’s functionality must be available before purchase without the need to consult the vendor or supplier.
The product must also be of potential interest to a wide range of individuals and businesses. Products that are only of interest to specialised groups (such as healthcare professionals, legal practitioners or telecoms engineers) would not generally fall within the scope of Note 3a. But the mere fact that a product is used by a specialised group does not automatically exclude it from Note 3a (for example, a general purpose tablet that is aimed and marketed at healthcare professionals – but could be used by a wider range of industries).
Note 3a identifies four different means of acquisition of a product:
It is not necessary for an item to be available for sale by all four means to be covered by the note.
A product customised for a particular purchaser would not notmally be considered to be generally available from stock within the meaning of paragraph 1. However, in cases where the customisation involves a simple choice from a list of standard stock options – selecting the amount of RAM or HDD storage on a laptop computer for example – the product is still be considered ‘generally available’. This would not be the case for arbitrary customisation for a specific individual. Using a car as an example, this could be compared to choosing options such as paint colour versus requesting a specially designed and bespoke engine, not available to the general public.
The price of a product should be known before purchase, and can be an indication of whether it is of potential interest to a wide range of individuals and businesses, as required by the Note to the Cryptography Note. A high price is not necessarily a barrier to achieving Note 3 decontrol. In this context it is often useful to consider price relative to that of comparable items on the market.
Similarly, the product’s full range of technical capabilities, and the required technical skill to use these, may be relevant to whether it is considered of potential interest to a wide range of individuals and businesses, as required by the Note to the Cryptography Note.
Cryptographic functionality – Note 3a paragraph 2
Paragraph 2 of Note 3a requires that the cryptographic functionality cannot easily be changed by the user. If the user can edit, add or remove cryptographic algorithms, for example by changing source code, then the product would not normally meet this condition of the note. In general, source code is unlikely to meet the requirements for Note 3, because of the ease in which it can be changed by the end user.
Examples of situations in which this condition of Note 3a is normally met are:
cryptographic functionality cannot be modified by the user
user can change the cryptography by making a selection from a preset list of algorithms and key sizes, and this is easy to do
user can easily turn the cryptography on or off
Products for which the user can edit, add or remove cryptographic algorithms, such as by changing source code, offloading cryptographic operations to an external entity, or some other mechanism, do not normally meet this condition of the note. Examples of situations where cryptographic operations are offloaded could involve using an external secure sockets layer (SSL) accelerator or hardware security module (HSM) to increase efficiency or security of the overall system.
Installation – Note 3a paragraph 3
Paragraph 3 of Note 3a requires that the product is designed for installation by the user without further substantial support by the supplier. A user is generally understood to be a member of the public, and not a person with specialist skills or qualifications such as someone in the IT department of a large organisation. To meet this criterion, the product should be suitably straightforward to install by a member of the public, and not necessarily someone with specialist skills.
The term supplier is normally considered to be the original manufacturer, retailer or distributor and is it is not automatically assumed to be the exporter.
If the installation of a product needs specialist skills or training, then it is unlikely to meet Note 3a. Similarly, if it requires a special environment that is not generally available to the public, such as specialist cooling or power supplies, then it is unlikely to meet the note.
If the installation can only be performed by a technician provided by the supplier, or requires the use of technical instructions or guides that are aimed at specialists, then the product would normally be considered to be designed for installation with further substantial support from the supplier, and hence would not qualify for Note 3a.
Services such as the following do not preclude a product from meeting Note 3a:
optional on-site installation support provided through the retail outlet at which the product was purchased
provision of installation instructions that are included in the product packaging
provision of assistance in the form of a helpline or website where a user without technical expertise can ask questions or obtain clarification about installation instructions
Note 3b exempts from control items that meet the definition below:
Hardware components or ‘executable software’, of existing items described in paragraph a. of this Note, that have been designed for these existing items, meeting all of the following:
‘Information security’ is not the primary function or set of functions of the component or ‘executable software’;
The component or ‘executable software’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items;
The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and
When necessary as determined by the competent authorities of the Member State in which the exporter is established, details of the component or ‘executable software’ and details of relevant end-items are accessible and will be provided to the competent authority upon request, in order to ascertain compliance with conditions described above.
Generic examples of items that are likely to be removed from control by Note 3b include but are not limited to:
wifi chips designed for an existing model of tablet or wearable device
zigbee chips designed for an existing model of consumer Internet of Things device
general purpose processors or micro-processors for an existing model of smartphone
Note that, apart from executable software, technology and software are generally not limited to specific note 3 decontrolled items and as such are not normally likely to be excluded from control by note 3b.
Note 3b general principles
Note 3b removes from control certain components or ‘executable software’ that are designed to be incorporated into items that are themselves eligible for Note 3a. To be eligible for Note 3b, the component or ‘executable software’ must meet all of the criteria listed. Note 3b eligibility will be considered on a case by case basis.
In this guidance we address the case of a hardware component rather than ‘executable software’, since this is more typically encountered.
‘Existing items’ generally means specific items that are already available and that meet Note 3a. In many cases components will be designed for a specific item that already exists. But in some cases, Note 3b might also be applied to components that have been designed for a new model of an existing item. Here the specific model that will incorporate the component may not yet be readily available, but may be the next generation of a family of products that meet note 3a. In this case, note 3b may still be applied to the component, but enough detail about the new ‘relevant end-item’ must be available to support a determination.
Primary function – Note 3b paragraph 1
This paragraph requires that ‘information security’ is not a primary function of the component. The component may contain cryptography, or have ‘information security’ characteristics, but these should not be a primary function. A wifi chip that implements standard protocols using cryptography, such as WEP (wired equivalent privacy) or WPA2 (wifi-protected access 2) has a primary function of providing wireless communications. In this case, if the chip meets all the other requirements of Note 3b and is not controlled elsewhere then it may be decontrolled by Note 3b.
Examples of items that do NOT qualify under this paragraph would be a crypto acceleration co-processor or chips with tamper defence built in, as the primary function of these items is to support information security.
Cryptographic functionality – Note 3b paragraph 2
This paragraph requires that the component does not change the cryptographic functionality or add new functionality to the existing item. If the component adds new algorithms or modifies the way existing cryptographic functions are executed then it would not meet this condition of the note.
In the case of a component that is an upgrade for a previous generation of component in an existing Note 3a item, the requirement of paragraph 2 is that the new component should implement the same cryptographic functionality as the original component.
If a component does change the cryptographic functionality of the existing item, then the modified existing item should be re-assessed against the Note 3a criteria.
Feature set – Note 3b paragraph 3
This paragraph requires that the component or ‘executable software’ is not changed to meet unique specifications specified by the customer of the overall equipment.
Further information – Note 3b paragraph 4
When necessary, to determine eligibility, exporters will be asked to provide more details about their component and the product into which the component will be incorporated. Technical specifications for the ‘relevant end-item’ must be readily available and may be requested by the licensing authority to help assess Note 3b eligibility.
The Export Control Organisation within the Department for International Trade’s Export Control Joint Unit is the licensing authority for the UK’s strategic export controls.
The factors that determine whether Note 3 applies to a product can change. For example, the cryptographic functionality may change, or the product may no longer be generally available. In these circumstances a new determination will need to be made.