A New Landscape for Information Technology Export Controls: Part 2 – Export Controls on Telecommunications
Part 2 of a Three Part Series by Felice Laird, Export Strategies, LLC
For many years, Category 5 Part 1 remained largely unchanged in the Commerce Control List (CCL). Telecom hardware products (switches, routers, storage devices, etc.) on the market typically use encryption for user authentication and remote management as well as for data transmissions over private and public networks and thus were classified as “encryption products”
instead of “telecom products”. Over the past 10 years or so, some telecom equipment has been decontrolled through Notes in 5A002, that is, specifically carved out of Category 5 Part 2, only to fall back into Category 5 Part 1 (usually 5x991). Confusing, yes! We will get into Category 5 Part 2 in the next installment of this article series.
Despite no significant changes in the 5x001 ECCNs, the US, along with fellow Wassenaar members, have discussed adding controls to Category 5 Part 1, for many years. In fact, there has been a control in the Wassenaar Dual Use list Category 5 Part 1 that covers “IP network communications surveillance systems or equipment” (5. A. 1. j.) The US has never amended the CCL to include this. However, at the December 2019 Plenary, Wassenaar added a new software control on specially designed or modified surveillance software for law enforcement. The US did add these new controls (5D001.e.1 and e.2) to the CCL on October 5, 2020. The “Reason for Control” listed for 5D001 for this type of software is “National Security” (NS) and “Anti -Terrorism”(AT).
The intent of the new control is to cover software that can extract data from intercepted communications that use certain words in their content (“hard selectors”) or are sent and received by specific parties (“metadata”) and use the extracted data to build relational databases and track movements of targeted individuals. The concern among Wassenaar members is that this type of software can be used by government agencies to spy on citizens. There may not be many companies out there that design these systems for law enforcement, so the effect may be limited. However, it’s worth pointing out that the Department of State has the primary role in US policy and is in charge of monitoring human rights violations globally, and that may mean a bigger seat at the table in US export licensing decisions (for more on this topic see the excellent summary by my friends at Arent Fox , and possibly even classification decisions.
For those who deal with exports of encryption or information security products, Felice Laird offers a series of Live and On Demand Webinars that range from the Basics of Encryption, to DIY Encryption Classifications, to Advanced Encryption Classifications.