There appears to be very little available in the way of easily digested guidance material describing how to go about complying with the export laws of various nations, as applies to Advanced Encryption Standard (AES) accelerator equipped MCUs; i.e. most of the EFM32 line-up.
As such, I hope this thread might become a useful source of information about how to go about applying for, or seeking exemption/exception from, the export license requirements of the UK/EU, USA and other countries anyone has any interest in. I'm particularly interested in how export controls might affect open source projects, but any information at all would be gratefully received.
I'm currently at a very early stage of investigating my legal obligations (in the UK). From what I've read so far, the easiest course would be to seek an export licence exemption. That may not be achievable, (as explained below) so I will likely need to gain an export licence.
I first became aware that export control laws had any impact on the free movement of MCUs, when I ordered some EFM32LG devices for prototyping requirements. Before the supplier could process my order, they required me to complete and return a form titled: Customer End-User Certificate - Encryption Commodities and Software (ENC) license exception. The reason stated that I needed to complete it was, that the EFM32LG devices contain an AES Accelerator.
The key part of the certificate is this compliance notification:
Compliance Notification to the Buyer described above.
Mouser Electronics hereby notifies the Buyer that products distributed by Mouser under the Encryption Commodities and Software (ENC) license exception are subject to section 740.17 paragraph (a)(1) of the Export Administration Regulations (EAR) of the United States of America. Which further stipulates that any encryption item produced or developed with an item exported or reexported under paragraph (a)(1) is subject to the EAR and requires review and authorization before any sale or transfer outside of the private sector end-user that developed it.
By signing this document the person listed below acknowledges and accepts the restrictions described in section 740.17 paragraph (a)(1) of the Export Administration Regulations (EAR) of the United States of America.
To summarise the requirements of that Compliance Notification: Even though I'm not based in the USA, if I subsequently sent, (never mind sold) my EFM32LG equipped prototypes to anyone else, I'd have to ensure that my 'product' complies with the Export Administration Regulations (EAR) of the United States of America.
At that point I realised I'd also need to comply with the export laws of the United Kingdom...
The following text summarises the interpretation of EU legislation available at the link below, as it applies in the UK:
Cryptographic items subject to export controls are listed in Category 5 Part 2 of the European Union (EU) Dual-Use List...
...If cryptographic items, including components, are included on this list, then they will need an export licence, unless they fall under an exemption.
Details of what cryptography is exempt from export licensing requirements are outlined in the Cryptographic Note (CN) found under Category 5 Part 2 of the list. The CN is intended to decontrol cryptographic items sold to the general public for home, office or business use.
Conditions of the Cryptographic Note
The CN reads as follows:
5.A.2 and 5.D.2 do not control items that meet the following four conditions:
All four conditions have to be met for the decontrol to apply
Now, as I interpret the Conditions of Cryptographic Note above, if a product and it's software is in the public domain, (open source) then the cryptographic functionality of the product could, (with relative ease) be changed by the user - and therefore exemption from licencing is not possible. If you know otherwise or have any experience in this minefield and know how best (or how best not) to proceed, please share.
As a brief follow-up to the topic initiated by hairykiwi:
With the reference to EFM32LG (or any other of our EFM32 products with AES accelerator):
We (former Energy Micro) used to ship these from Norway and was required to have Export licenses because of the AES encryption inside our MCUs and Kits based on these. In Norway, these are issued by Norwegian Foreign Ministry.
In short, the Norwegian export license deals with 3 categories of countries:
1) The member states of the Wassenaar Arrangement
2) Those that are not part of the arrangement and not being on the Norwegian Governments list of sanctioned countries
3) Countries on the above mentioned sanction list.
The export control for category 1 is less stringent: A general license (i.e. not limited to a particular shipment) may be granted and can cover a requested family of products and/or group of countries
As for category 2, the license may be limited to only one product and one particular country and even one particular shipment. Some kind of end-user statement (e.g. "goods not being used for development of Weapon of Mass destruction..." etc) by the consignee may be required. In addition, some conditions may apply.
For category 3, no export license would be granted.
Although the main purpose of the export license is to regulate export of goods from one country into another, it can also have conditions for regulating re-export. An example of a condition for category 2 could be "re-export can only be done to countries not listed on the sanction list".
I am by far no expert in this matter, my intention is purely to highlight that the topic is not straightforward and complicated by the fact that different rules apply to the different countries.
I would advise those who believe that export control would apply to their product to:
1) Seek out information directly from a competent source, either people within your company, or the proper authority in the country of export.
2) Start the process early, well ahead of any product launches. It may take several months to obtain a license.
Thanks for the info Kennethp.
All your advice appears to be sound and very interesting. But it also appears to have been recently superseded; according to the following knowledge base article at least:
The kb article isn't as easily found as these community posts, hence why I'm cross-referencing the kb article to this thread.
The kb article suggests all Silicon Labs MCUs are now subject to the requirements of EAR99 rather than those of an ECCN.
The following page provides a highlight of the differences in requirements for ECCN 5A002.A.1.A vs EAR99.
http://mohawkglobal.com/global-news/my-goods-are-ear99-why-do-i-have-to-screen/ - ECCN 5A002.A.1.A was perhaps the most appropriate classification previously used for EFM32 MCUs - by avnet.com for example.
As I read the requirements, EAR99 simply requires due diligence to be carried out on each export consignment - paperwork without official, export licence paperwork, it would appear.
What would be universally appreciated, I'm sure, is if Silicon Labs could update their global supply partners with this latest information. And equally, as I suggested in my comment to the kb article, include the appropriate ECCN or EAR status in the device data sheets, as many other MCU manufacturers do. This would certainly be useful when applying for an export classification from a BIS in jurisdictions outside the USA.
Apologies for effectively double posting - feel free to edit / (re)move my comment to the kb article.