As a Participating State of the Wassenaar Arrangement, Australia has an international obligation to strengthen its export controls on the transfer of sensitive technology, including the overseas transfer of certain encryption-related technology. Australia meets this obligation through the Defence Trade Controls Act 2012 (DTC Act). The introduction of the strengthened controls ensures Australia meets its international obligations and security requirements, while not unnecessarily restricting trade or research.
The Defence and Strategic Goods List (DSGL) describes all goods, software and technology that are subject to export control. Currently, a permit is required to tangibly export these items under the Customs Act 1901 via the Customs (Prohibited Exports) Regulations 1958. On 2 April 2016 the offence provisions of the DTC Act will come into effect, and a permit will be required for the intangible supply of the same items. This will bring Australia into line with world's best practice on export controls. The publication and brokering provisions of the DTC Act only apply to military items, or items which are for a military end-use, and so the publication and brokering of cryptographic goods, software and technology are generally exempt.
The supply provisions of the DTC Act are also subject to certain exemptions:
Because of these exemptions, most academic activities such as conducting research, teaching students, submitting publications or patent applications, or attending conferences, either inside or outside Australia, are not subject to export control. Additionally, streaming a lecture to overseas students is exempt. If a person in Australia was actually providing software or technology to a person outside Australia via non-verbal means (e.g. email, file transfer etc), they would only be subject to export control if that software or technology was listed on the DSGL and did not meet the requirements for any exemption.
All cryptographic items subject to export control are listed in Part 2, Category 5, Part 2 of the DSGL. The goods in this section include cryptographic radios and other information security devices, software used in such goods, and technology (technical data) required to design, produce and use these goods.
The use of cryptography itself is not controlled i.e. sending an encrypted email or message, or making an encrypted phone call, is not subject to export control simply because it is encrypted.
The scope of the encryption controls in the DSGL is limited by six major exemptions:
Because of these six exemptions, much commonly used cryptography such as commercial or open-source hardware and software using published cryptographic algorithms is not subject to export control. In particular, this exempts most consumer goods such as smart phones and secure email software.
Additionally, standard university teaching is derived from textbooks and other academic publications, and is therefore exempt as information 'in the public domain'. The types of items that are listed on the DSGL and are therefore subject to export control include proprietary, confidential or unpublished technical research on new cryptographic schemes, encryption hardware or software that is not available to the public (e.g. internal company proprietary systems), or items that are specially designed for military use. If a person wishes to export or supply such goods, software or technology, they must obtain a permit from DEC.
Defence has recently completed a trial of 2-Step Permits for information security and cryptography research, with two universities having participated in the trial. Defence will soon commence a review of the results of the trial, in consultation with the cryptography research sector.