Canadian and US Export Controls and Economic Sanctions: Key Steps for Mitigating Risk for Software and Technology Companies October 24, 2017 IT.Can Annual Conference Stephen Whitney VP, General Counsel, Sandvine Incorporated ULC

Agenda Overview of Canadian Export Controls Export Control List Export Permit Application Process

A. Overview of Canadian Export Control Laws What is an “Export”? A physical shipment outside of a country’s border; Posting software on a web site that can be downloaded by someone in another country; Sharing of technical information visually, physically or orally (e.g.: user manuals, schematics, drawings, files, procedures, conference calls, meetings, etc.)

What is an Import? With every export, there must be an import, which is bringing in goods and/or technology from another country The transfer into a country through physical or intangible (typically electronic) means.

Objectives of Export Controls do not cause harm to Canada and its allies; do not undermine national or international security; do not contribute to national or regional conflicts or instability; do not contribute to the development of nuclear, biological or chemical weapons of mass destruction, or of their delivery systems; are not used to commit human rights violations; and are consistent with existing economic sanctions' provisions.

B. Export Control List The Export Control List, which is included in A Guide to Canada's Export Controls December 2015 (http://www.international.gc.ca/controls-controles/about-a_propos/expor/guide-2015_toc-tdm.aspx?lang=eng), identifies specific goods and technology that are controlled for export from Canada to other countries. The Export Control List is divided into the following seven Groups: Group 1: Dual-Use List (used for both civil and military purposes) Includes cryptography Group 2: Munitions List Group 3: Nuclear Non-Proliferation List Group 4: Nuclear-Related Dual-Use List Group 5: Miscellaneous Goods and Technology Group 6: Missile Technology Control Regime List Group 7: Chemical and Biological Weapons Non-Proliferation List

Group 1, Category 5, Part 2 - 1-5. A. 2 Group 1, Category 5, Part 2 - 1-5.A.2. SYSTEMS, EQUIPMENT AND COMPONENTS (HARDWARE) 1-5.A.2. “Information security” systems, equipment and components therefor, as follows: Systems, equipment and components, for cryptographic “information security”, as follows: Designed or modified to use "cryptography" employing digital techniques performing any cryptographic function other than authentication, digital signature or the execution of copy-protected "software", and having any of the following: A "symmetric algorithm" employing a key length in excess of 56 bits; or An "asymmetric algorithm" where the security of the algorithm is based on any of the following: 1. Factorisation of integers in excess of 512 bits (e.g., RSA); 2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or 3. Discrete logarithms in a group other than mentioned in 1-5.A.2.a.1.b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve); … More listed in b. through e.

1-5.A.2.a does not apply to any of the following: a. Smart card and smart card ‘readers/writers’ as follows: …. Cryptograhphic equipment specially designed and limited for banking use or ‘money transactions’ c. through h. Routers, switches or relays, where the “information security” functionality is limited to the tasks of “Operations, Administration or Maintenance” (“OAM”) implementing only published or commercial cryptographic standards; or j. General purpose computing equipment or servers, where the “information security” functionality meets all of the following: 1. Uses only published or commercial cryptographic standards; and 2. Is any of the following: a. Integral to a CPU that meets the provisions of Note 3 in Category 5 - Part 2; b. Integral to an operating system that is not specified by 1-5.D.2.; or c. Limited to “OAM” of the equipment.

Group 1 – Dual-Use List - Category 5 - Part 2: “Information Security” No export permit needed from Government of Canada if: Exporting for personal use; or Your good is within a named category (1-5.A.2, 1-5.A.3, 1-5.A.4, and 1-5.D.2) and your export meets: A. the crypto note or mass market criteria a. Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; b. The cryptographic functionality cannot easily be changed by the user; c. Designed for installation by the user without further substantial support by the supplier; and d. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs (a) to (c) above; or

Group 1 – Dual-Use List - Category 5 - Part 2: “Information Security” (cont.) B. Hardware components or ‘executable software’, of existing items described in paragraph A. of this Note, that have been designed for these existing items, and meeting all of the following: a. "Information security" is not the primary function or set of functions of the component or 'executable software'; b. The component or ‘executable software’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items; c. The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and d. When necessary as determined by the appropriate authority in the exporter’s country, details of the component or ‘executable software’, and details of relevant end-items are accessible and will be provided to the authority upon request, in order to ascertain compliance with conditions described above.

3. Category 5–Part 2 does not apply to items incorporating or using 3. Category 5–Part 2 does not apply to items incorporating or using “cryptography” and meeting all of the following: a. The primary function or set of functions is not any of the following: 1. “Information security”; 2. A computer, including operating systems, parts and components therefor; 3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or 4. Networking (includes operation, administration, management and provisioning); b. The cryptographic functionality is limited to supporting their primary function or set of functions; and c. When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.

1-5.D.2. SOFTWARE 1-5.D.2. “Software” as follows: a. “Software” specially designed or modified for the “development”, “production” or “use” of equipment specified by 1-5.A.2, 1-5.A.3 or 1-5.A.4, or of “software” specified by 1-5.D.2.c.; b. … c. Specific “software” as follows: 1. “Software” having the characteristics, or performing or simulating the functions of the equipment, specified by 1-5.A.2., 1- 5.A.3 or 1-5.A.4; 2. “Software” to certify “software” specified by 1-5.D.2.c.1. Note: 1-5.D.2c. Does not apply to “software” limited to the tasks of “OAM” implementing only published or commercial cryptographic standards. d. “Software” designed or modified to enable, by means of “cryptographic activation”, an item to meet the criteria for functionality specified by 1-5.A.2.a. that would not otherwise be met.

C. Export Permit Application Process Apply online – EXCOL system Application Review Period: Up to 10 business days for routine Up to 8 weeks for complicated Plan ahead, apply early, and know you can receive questions from Government and (rare) requests for in-person meetings

Approvers of Export Permits primarily include: Dept of Foreign Affairs, Trade and Development Canada (DFAT) Communications Security Establishment of Canada (CSEC)

Types of export permits Individual export permit to a specified consignee/recipient General Export Permit (GEP) Multiple Destination Permit (MDP)

1. Individual Export Permit When preparing an individual export permit application, the supporting material typically includes: Cover letter explaining the overall nature of the proposed transaction, including the roles of the parties involved and the end-use of the product. Name of exporter Name of consignee/recipient Address of consignee Name of goods being exported (model # or version #) Quantity to be exported Individual value and total value of export? Country of manufacture US Content % Self Assessment of applicable Export Control List Number End-use statement (to be signed by consignee) Any available technical specification documents Cryptography and Information Security Product Questionnaire or *CSEC Questionnaire*

*Sample* Abbreviated End-Use Statement (on final consignee letterhead) To: Export Controls Division Foreign Affairs and International Trade Canada The following products: [insert products] will be exported to us by [Canadian exporter] and will be used by us [at State final consignee address]. The above-mentioned products will be used for: [state purpose] The above-mentioned products will not be used for military purposes nor in any nuclear or missile proliferation activity, in the design of chemical or biological weapons nor resold or exported to any entity involved in such activity. I_______________________________ Signature

Cryptography and Information Security Product Qestionnaire or. CSEC Cryptography and Information Security Product Qestionnaire or *CSEC* Questionnaire 1. Provide general marketing/promotional information describing the product, including the product name and version number as applicable, or other documentation or specifications related to the technology or software. 2. What cryptographic algorithms and strengths are employed and for what purposes (eg: digital signature, authentication, confidentiality of data, etc)? Identify the key length as well as whether the algorithm is symmetric or asymmetric.   3. Provide details on the product architecture. Is the cryptographic engine user-accessible or modifiable? Describe how the architecture and/or distribution method inhibit user accessibility. 4. Describe how the product architecture prohibits modification of the product-use for which it was designed. State how the product is written to preclude user modification of the encryption algorithms, key management and key space. 5. For products which incorporate an Open Cryptographic Interface, describe the Open Cryptographic Interface.

Questionnaire cont. 6.For products which incorporate encryption-related Application Programming Interfaces (APIs), describe the APIs that are implemented and/or supported. Explain which interfaces are for internal (private) and/or external (public) use.   7. Describe whether the cryptographic routines are statically or dynamically linked, and the routines (if any) that are provided by third-party modules or libraries. Identify the third-party manufacturers of the modules or toolkits. 8. In what form will the software be distributed/exported (e.g.: source code, object code, etc)? 9. How will the product be installed? 10. Is the product currently being used by any Department(s) at any level of government in Canada (either Federal, Provincial and/or Municipal)? If so, please state which one(s). 11. Is the product being considered for purchase by any Department(s) at any level of government in Canada (either Federal, Provincial and/or Municipal)? If so, please state which one(s).

Receive Individual Export Permit Now What? Before you begin exporting, read your export permit carefully Validity Period for Individual EP: 2 years Can request shorter or longer (up to 5 years) Version Numbering: If a permit is issued for version 1.1, ok to use permit to export versions 1.2 and 1.3 (assuming no change to the cryptographic functionality). Need to obtain new EP for version 2.1 of the same software.

Where Can’t Export To When Obtain an Individual Export Permit - Exports to the following will be prohibited: - Countries on Canada Area Control List Currently - North Korea - Countries with sanctions (may or not apply to your circumstances) and can apply to both entities and individuals

Sanctions http://www.international.gc.ca/sanctions/countries-pays/index.aspx?lang=eng Presently, Canada imposes trade controls of varying degrees on activities involving the following countries (and in many cases, listed entities and individuals associated with them): Belarus, Burma (Myanmar), Côte d'Ivoire, the Democratic Republic of the Congo, Cuba, Egypt, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Pakistan, Russia, Somalia, Sudan, Syria, Tunisia, Ukraine and Zimbabwe.

2. General Export Permit (GEP) GEPs do not require an export permit application You export and report bi-annually about your exports assuming you meet certain criteria

GEP No. 45 Cryptography for the Development or Production of a Product http://laws-lois.justice.gc.ca/eng/regulations/SOR-2012-160/FullText.html If meet the criteria set out in GEP No. 45, residents of Canada may export or transfer all goods and technology referred to in Group 1-5 Part 2 of “A Guide to Canada's Export Controls”, excluding those goods and technology referred to in: a. items 1-5.A.2.a.2., 1-5.A.2.a.4., or 1-5.A.2.a.9. of A Guide to Canada's Export Controls.

GEP No. 46 Cryptography for Use by Certain Consignees http://www.international.gc.ca/controls-controles/systems-systemes/excol-ceed/notices-avis/186.aspx?lang=eng If meet the criteria set out in GEP No. 46, residents of Canada may export or transfer all goods and technology referred to in Group 1-5 Part 2 of “A Guide to Canada's Export Controls”, excluding those goods and technology referred to in: a. items 1-5.A.2.a.2., 1-5.A.2.a.4., or 1-5.A.2.a.9. of A Guide to Canada's Export Controls.

3. Multiple Destination Permit Can export to all countries except: countries on Canada’s Area Control List Countries subject to Canadian Economic Sanctions (including UN Act and Special Economic Measures Act) Sanctions apply to following countries: Central Africa Republic, Congo, Eritrea, Iran, Iraq, Lebanon, Libya, Myanmar, North Korea, Russia, Somalia, South Sudan, Sudan, Syria, Tunisia, Ukraine, Venezuela, Yemen, and Zimbabwe Country list: Belarus, Central African Republic, Cote d’Ivoire, Cuba, Congo, North Korea, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, Myanmar, Pakistan, Russia, Somalia, Syria, South Sudan, Sudan, Tunisia, Ukraine, Yemen, and Zimbabwe Export for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons; Export of technical information related to design, development or implementation of the crypto; and Export of source code or pseudo-code, in any form, of the crypto.

Suggestions for Dealing with Government Only answer the questions and nothing more CSEC will ask because they want to know or someone else wants to know - Five Eyes Watch out for questions like: “Are the Russians still asking for source code?”

Disclosures of Non-Compliance Voluntary disclosure for non-compliance The Export Controls Division looks favourably upon voluntary disclosures Seek legal advice before making disclosure .