skip to navigation skip to content skip to footer



Overview of Cryptography and the Defence Trade Controls Act 2012

Code containing zeros and ones

As a Participating State of the Wassenaar Arrangement, Australia has an international obligation to strengthen its export controls on the transfer of sensitive technology, including the overseas transfer of certain encryption-related technology. Australia meets this obligation through the Defence Trade Controls Act 2012 (DTC Act). The introduction of the strengthened controls ensures Australia meets its international obligations and security requirements, while not unnecessarily restricting trade or research.

The Defence and Strategic Goods List (DSGL) describes all goods, software and technology that are subject to export control. Currently, a permit is required to tangibly export these items under the Customs Act 1901 via the Customs (Prohibited Exports) Regulations 1958. On 2 April 2016 the offence provisions of the DTC Act will come into effect, and a permit will be required for the intangible supply of the same items. This will bring Australia into line with world's best practice on export controls. The publication and brokering provisions of the DTC Act only apply to military items, or items which are for a military end-use, and so the publication and brokering of cryptographic goods, software and technology are generally exempt.

The supply provisions of the DTC Act are also subject to certain exemptions:

  • A supply is defined as a person in Australia providing DSGL-controlled software or technology to a person outside Australia. Therefore, any activity occurring wholly within Australia or wholly outside Australia is exempt.
  • Verbal communication of controlled software or technology (via telephone, Skype etc) is exempt.
  • Supply to or from certain Australian government officials (APS employees, ADF members, police etc) is exempt.
  • Supply of software or technology that is preparatory to its publication is exempt - for example, sending a draft publication or journal article to a person overseas for peer review, comment or submission.

Because of these exemptions, most academic activities such as conducting research, teaching students, submitting publications or patent applications, or attending conferences, either inside or outside Australia, are not subject to export control. Additionally, streaming a lecture to overseas students is exempt. If a person in Australia was actually providing software or technology to a person outside Australia via non-verbal means (e.g. email, file transfer etc), they would only be subject to export control if that software or technology was listed on the DSGL and did not meet the requirements for any exemption.

All cryptographic items subject to export control are listed in Part 2, Category 5, Part 2 of the DSGL. The goods in this section include cryptographic radios and other information security devices, software used in such goods, and technology (technical data) required to design, produce and use these goods.

The use of cryptography itself is not controlled i.e. sending an encrypted email or message, or making an encrypted phone call, is not subject to export control simply because it is encrypted.

The scope of the encryption controls in the DSGL is limited by six major exemptions:

  • All cryptographic goods being exported for the user's personal use are exempt.
  • All cryptographic software and technology in the public domain is exempt.
  • All cryptographic software and technology that is basic scientific research, or is the outcome of basic scientific research, is exempt.
  • All cryptographic goods and software that is generally available to the public via the mass market is exempt (see DSGL Part 2, Category 5, Part 2, Note 3 for full details of this 'mass market' exemption).
  • All cryptographic technology that is being submitted for a patent application is exempt.
  • Only that technology that is "required" for achieving or enabling cryptographic functions is subject to export control - other technology that is merely associated with encryption or cryptographic goods is exempt.

Because of these six exemptions, much commonly used cryptography such as commercial or open-source hardware and software using published cryptographic algorithms is not subject to export control. In particular, this exempts most consumer goods such as smart phones and secure email software.

Additionally, standard university teaching is derived from textbooks and other academic publications, and is therefore exempt as information 'in the public domain'. The types of items that are listed on the DSGL and are therefore subject to export control include proprietary, confidential or unpublished technical research on new cryptographic schemes, encryption hardware or software that is not available to the public (e.g. internal company proprietary systems), or items that are specially designed for military use. If a person wishes to export or supply such goods, software or technology, they must obtain a permit from DEC.

Defence has recently completed a trial of 2-Step Permits for information security and cryptography research, with two universities having participated in the trial. Defence will soon commence a review of the results of the trial, in consultation with the cryptography research sector.