Export Control for products using or containing Data Encryption

9 May 2016 03:13 PM

Does your technology product use encryption for wireless communications? If you plan to export this product, can you be sure you are not breaking UK export laws?

Does your technology product use encryption for wireless communications? If you plan to export this product, can you be sure you are not breaking UK export laws?

Why technology devices use data encryption
Encryption is widely used to secure data transmitted wirelessly between electronic devices and is at the heart of the Internet of Things. Any wireless sensor will normally communicate using standard encryption protocols to ensure that the data is not intercepted or interfered with when transmitted to the router, host controller or cloud. There are now a variety of communication standards available such as ZIGBEE, which is used for industrial communications as well as in commercial products.

Restrictions on export
All commonly-used encryption methods use a key to enable encryption and decryption. Current EU regulations require an export licence for all products using symmetric algorithms with a key length over 56 bits. But many commonly-used encryption protocols now use key lengths of 1024 bits or more. All such products therefore are subject to export licence restrictions unless they are exempted on the grounds that they are ‘mass market’. But the UK Government interprets the criteria for defining what is ‘mass market’ much more narrowly than the US or some other EU Governments. This puts a disproportionate burden on UK exporters and is causing them to lose business.

Of even more importance is the fact that the export legislation, is not restricted to the physical product but also includes software and technology information related to the product. Phones, computers and tablets that contain product design data or software are also subject to licence restrictions is they travel outside of UK, and that could include company emails that relate to the product.

Many companies go to great lengths to ensure that they are able to comply with this law, but it is now widely accepted that standard encryption methods such as AES and wireless technology such as ZIGBNEE should be classed as ‘mass market’ and therefore not requiring a licence.

Consequences of breaking export law
Breaches of export controls are a criminal offence and can result in the seizure of your goods, an unlimited compound penalty (i.e. a fine in lieu of a prosecution), a fine of up to three times the goods’ value or, in cases where the regulations have been deliberately evaded, an unlimited fine and a prison sentence of up to 10 years.

We would like to hear from you if you are affected by this legislation
techUK in cooperation with ADS have been working with members, the Export Control Organisation (ECO) and (CESG) to address these issues and help Government push forward with urgent reforms.

On 10th May, the joint techUK-ADS Export Control Reform group will be meeting with CESG and ECO to discuss this matter. We are seeking a few volunteer companies to help present the case for the UK to adopt USA-type controls for ‘mass market’ products that use standard encryption methods. Please let me know if you would like to volunteer to attend this meeting. The next full meeting of the Export Controls reform group will take place the week after on the 19th May.

Meanwhile, we need to understand a bit more detail of how the current rules are affecting UK technology businesses. If you are aware of your business being affected by current ECO/CESG rules on products containing encryption, please would you complete the survey form below. Further background information is given below the survey in this email.

1. Are you being adversely impacted by this issue and the UK Government’s stance? Yes / No

If the answer to the above question is “Yes”, please provide a rough estimate of how much the compliance costs for your company are for dealing with current regulations, including in extra additional resource needed (which is a cost) and in lost business.
..........................................................................................................................................................................................................................................................................................

2. Is your company considering locating part or all of the affected business overseas? Yes / No

If so, what is the approximate size of the business that would be affected (people employed / £ pa)?
..........................................................................................................................................................................................................................................................................................

3. Do you have any written evidence that an overseas Government’s stance is different in this area to that of HMG? Yes / No

If the answer to the above question is “Yes”, please provide some further details:
..........................................................................................................................................................................................................................................................................................

All responses will be anonymised and amortised (and, of course) can be sent through the post, if deemed necessary to conserve confidentiality (!). These should be sent to: Ken.Ball@techUK.org.