UK ECO decrypts cryptography note
The UK government has published guidance ‘to assist exporters to make their own assessment on the application of the “Cryptography Note” – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).’
It says that ‘products that use cryptography are typically controlled under the dual use list. Note 3 is intended to exclude goods from control that:
- can be easily acquired by the general public
- require little or no support to install
- where the cryptographic functionality cannot be easily changed by the user
Note 3 also relaxes controls on certain components and software of such items.’
The note explains: ‘A very important general principle of control in Category 5 Part 2 is that a product is classified on the basis of its functionality and characteristics and considered as a standalone item. The item’s control list classification cannot be worked out solely from the classifications of individual component parts. For example, a product using freely available open-source cryptographic software libraries may still be controlled. This is despite the fact that such libraries are often decontrolled in their own right (by the General Software Note, for example). Equally, if a product uses an algorithm for which the specification is public, such as AES (Advanced Encryption Standard) or RSA (Rivest–Shamir–Adleman), the product may still be controlled, and is not removed from control solely because the encryption algorithm it uses is freely available.’