Use Caution When Traveling With Encryption Software
If you bring a laptop or smartphone outside of the United States, you need a basic understanding of how international export control laws may apply to your device’s encryption software.
Encryption software that is resident on a laptop or a smartphone is subject to export control regulations by the Commerce Department’s Bureau of Industry and Security, which enforces the export administration regulations. This is a separate issue from any technical data that may be resident on a device, which is governed by International Traffic in Arms Regulations.
The level of regulation and available license exceptions under the export administration regulations for encryption software depends on its technical specifications and the public availability of the source code.
First, laptops with pre-loaded encryption software may qualify for the temporary exports-tools of the trade (TMP) license exception, permitting the outbound export of a laptop for professional use purposes. The TMP exception applies to symmetric commercial-grade encryption with a key length of fewer than 64 bits. It does not apply to items containing cryptography functionality such as dual-use cryptanalytic or quantum. To comply with a TMP license, the item must be used for professional purposes, returned within 12 months, and be kept under effective control of the exporter, such as in a hotel safe when not in use. The exporter must take precautions against the unauthorized release of controlled technology. The TMP license exception is not available to embargoed countries, such as Cuba, Iran, Syria and Sudan.
Also, depending on the encryption grade and the traveler’s expected use of the item with encryption software, license exceptions are available under the export regulations, including encryption commodities and technology for higher grade encryption.
Outbound U.S. regulations are not the only consideration for those traveling with encryption software. Many countries regulate the inbound use of encryption software. In China, for example, the State Cryptography Administration (SCA) serves as the national authority for regulating encryption products and has promulgated multiple rules on encryption controls. Although thousands of individuals carry laptops and smartphones with encryption in and out of China daily, it is not risk free. Under SCA policy, standard mass-market products are not subject to the encryption regulations, but the encryption regulations remain incongruent with this policy and provide the latent underpinning for broader enforcement.
The policy predates the rise of smartphones and certain advancements in encryption software commonplace on laptops. If traveling to China with encryption software, one should consider checking the encryption regulations and following up with any applicable encryption license applications.
Through the Wassenaar arrangement, participating countries have created a “personal use” exemption for people traveling with encryption software. Wassenaar is an international export control agreement that contributes to regional and international security by promoting transparency in the transfers of conventional arms, dual-use items and technologies among the participating countries.
Under the personal-use exemption for encryption software, a traveler may have encryption software on his device, so long as he does not create, enhance, share, sell or distribute the encryption technology while traveling through the participating country. The following countries permit this exemption: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom and the United States.
Unfortunately, not all the Wassenaar participant countries allow the personal-use exemption. Neither the Russian Federation nor Ukraine permits the entry of encryption devices that are allowed under the arrangement. Specifically, Russia retains broad inbound encryption license requirements, which boasts some of the most restrictive encryption regulations in the world. It controls the import, export and use of encryption technology. The Russian Federation requires a temporary import license for use of laptops with encryption technology.
The U.S. State Department advises those persons traveling to Russia that taking laptops into that nation is unrestricted, but software may be inspected upon leaving. Any computer or software containing sensitive or encrypted data may be confiscated by Russian authorities.
Of the many countries that regulate the use of inbound encryption software, Israel, too, recognizes a personal-use exemption. But Israeli customs personnel may request the password to confirm the data is personal. The State Department warns those traveling to Israel with audio-visual or data storage and processing equipment, and other electronic devices to expect additional security-related delays, and some travelers have had equipment and devices confiscated for long periods. In some cases, the State Department said, travelers reported that equipment retained by Israeli authorities had been damaged, destroyed, lost or never returned.
The State Department also warns that Israeli security officials have requested access to travelers’ personal email accounts or other social media accounts as a condition of entry. Travelers should have no expectation of privacy for any data stored on such devices or accounts.
When traveling to a country with restrictive encryption practices, it is best to take only what is needed, and know what you are taking. To be safe, a traveler can request a “loaner laptop” from his employer or simply remove the encryption software from the laptop before traveling.
Jeffrey G. Richardson is a senior attorney for Miller, Canfield, Paddock and Stone PLC’s export controls practice group in Troy, Mich.
Topics: Cyber, Cybersecurity, International