The use of the Internet for electronic communication has resulted in a significant increase in the use of cryptographic security features in computer products. Many software products that appear to have absolutely nothing to do with computer security use cryptography to protect information generated, needed or shared by those products. The use of security capabilities such as Secure Sockets Layer or SSL has become so commonplace that software developers often give little thought to the effect the use of such capabilities may have on their ability to export. This is particularly so when the cryptographic capabilities in a product are provided by a third-party package linked to the product. Additionally, companies frequently do not appreciate that the electronic delivery or download of software programs to countries other than Canada or the United States is an export and requires compliance with certain restrictions.

A failure to appreciate the export-related consequences of introducing cryptographic capabilities into a product can cause significant business disruption when that failure is finally discovered. A company that fails to obtain the necessary permits for its export of products with cryptographic capabilities can be prohibited from exporting those products until such time as an appropriate export permit has been obtained (which can be a lengthy process) or until such time as the product is re-engineered to remove the offending cryptographic capabilities (again, potentially a lengthy process if even feasible). Obviously, an inability to ship products to customers outside Canada and the United States for a period of weeks or months can have a significant financial impact on a company. Unfortunately, export violations are usually discovered during due diligence for mergers, acquisitions or financings. In these cases, in addition to commercial sales disruption, such a discovery can negatively affect price and may end a potentially significant transaction. While Canadian authorities tend to be compliance-oriented rather than sanctions-oriented, the penalties for failures to obtain necessary export permits can be severe and may include imprisonment.

The Canadian government controls the export of goods and technology from Canada by maintaining a detailed list specifying the goods and technology that require an export permit. There are also various lists and regulations that specify the countries to which goods or technology may be exported. Canadian export control policy is also influenced by Canada's participation in a number of multilateral export control regimes. In particular, Canada is a participant in The Wassenaar Arrangement on Export Controls for Conventional Weapons and Dual-Use Goods and Technologies. This arrangement is particularly relevant to cryptographic products because under this arrangement these products have been classified as dual-use goods, meaning they can be used for both civil and military purposes. Because of this classification, cryptographic goods are subject to more rigorous export control by Wassenaar countries.

Canada implements its Wassenaar commitments through its detailed export control list, which contains a description of the types of cryptographic capabilities that will be subject to export permit requirements. This extensive export control list imposes permit requirements on systems, equipment, modules and integrated circuits that use cryptography (other than for authentication or digital signatures) having a symmetric algorithm with a key length in excess of 56 bits, an asymmetric algorithm with a key length in excess of 512 bits, or an elliptic curve algorithm with a key length in excess of 112 bits. The key lengths designated by Canada for export control are very low and, as a result, virtually any product that provides a reasonable level of security will fall within the restrictions imposed by the Department of Foreign Affairs and International Trade (DFAIT).

In addition to the parts of the regulations that describe the types of cryptography whose export is controlled, there are also complex provisions that provided exemptions from permit requirements. On the face of it, there are two exemptions that seem to provide much relief for a company seeking to export products containing cryptographic capabilities. Despite the seemingly expansive wording of these exemptions, DFAIT has interpreted them quite narrowly, and, as a result these exemptions do not in reality provide significant relief to licensors of business-oriented software. The first of these exemptions is the "mass market" exemption. Subject to meeting a number of other reasonably straightforward requirements, this exemption provides that the requirement to obtain an export permit does not apply to software that is generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: over-the-counter transactions; mail order transactions; electronic transactions; or telephone call transactions. At first glance, this exemption seems quite broad since a very wide range of software (including business-oriented software) is licensed in these ways. However, DFAIT has taken the position that this exemption does not apply to business-to-business transactions and, that it only applies to consumer-oriented transactions. Accordingly, the "mass market" exemption is not currently available for companies that license software over the Internet or via telephone to business customers.

The second apparently useful exemption deals generally with open source software. Export control restrictions do not apply to software "in the public domain." For the purposes of this exemption, software is "in the public domain" if it has been made available without restrictions upon its further dissemination. The fact that a software program may still be protected by copyright, as is the case for many open source programs, does not preclude such software from being "in the public domain." At first glance, this exemption appears to exclude cryptographic capabilities that are provided by an open source software package. However, DFAIT has taken the position that this exemption does not apply to open source software which is combined with proprietary software. Accordingly, if an open source program, such as OpenSSL, is linked to and distributed with a proprietary program, then that proprietary program will be subject to an export permit requirement. This is the case even if the proprietary program does not contain any of its own cryptographic capabilities.

Accordingly, except for exports to the United States for end-use in that country, the current Canadian export control regime imposes an export permit requirement for commercial computer programs with relatively low key-strength cryptography unless those capabilities are used only for authentication or digital signatures. In addition, since the United States regulates the re-export of certain goods and technologies, it is also possible that United States export control provisions may be applicable to computer programs that have been developed (or partially developed) by U.S. persons, contain U.S. content, or are exported through the U.S. (including electronic distribution by or though servers in the U.S.).

The export of software containing controlled cryptographic capabilities is permitted after receipt of an export permit for that software. In this regard, the Canadian government grants a variety of different types of export permits for cryptographic goods, including temporary permits, single shipment permits, multiple shipment permits and broad-based permits. The most desirable export permit is the broad-based export permit, which generally allows multiple shipments of cryptographic goods and technology to a wide range of end users and countries with only a semi-annual reporting requirement. Unfortunately, this type of permit is also the most difficult to obtain and requires an exporter to have demonstrated a "track record" of export compliance and competency. This track record is typically demonstrated by having applied for and received previous individual export permits over a significant period of time. Given this requirement, it makes commercial sense for companies to start export compliance programs as soon as possible in a corporate or product lifecycle. Since applying for and receiving individual export permits can be a time consuming process with wait times that typically do not match customer delivery expectations, companies should apply for export permits early and often so they can establish the necessary track record to allow them to obtain broad-based export permits before their commercial activity outside of Canada and the United States makes the filing of individual permits impractical.

Canadian export controls in respect to cryptographic capabilities apply in many circumstances that software developers and even sophisticated business people find surprising. By acting early and dealing proactively with export compliance issues, a company can develop the necessary processes and experience to ease its subsequent administrative burden, avoid potentially significant sales disruptions, and avoid unexpected and unwelcome surprises during due diligence for significant corporate transactions.

Michael Morgan is the head of the LaBarge Weinstein Licensing Group. He practices intellectual property law with an emphasis on complex transactions for the development, acquisition, licensing, use or other exploitation of technology products and services. E-mail him at mmorgan@lwlaw.com or visit www.lwlaw.com.