Export Control for Software and Technology: Classification Screening in the Digital Age
Why Software and Technology Are Subject to Export Control
Export controls do not apply only to physical goods. Software programs and technical data -- intangible assets -- are also regulated under FEFTA.
Specifically, the Export Trade Control Order (which regulates goods) covers media containing software, while the Foreign Exchange Order (which regulates technology) covers the software itself and its design information.
High-performance encryption software, numerical control programs, and simulation software may all be subject to controls. Even IT companies and software developers are not exempt from export control obligations.
Legal Basis for Software Export Control
Software as Goods
When software recorded on physical media (DVDs, USB drives, etc.) is taken overseas, it is treated as a goods export under the Export Trade Control Order.
Software as Technology
When software source code, design information, or algorithmic details are provided to a non-resident, it is treated as a technology provision (service transaction) under the Foreign Exchange Order.
The method of provision is immaterial. Email transmission, cloud storage sharing, and screen sharing during online meetings all fall within scope. Electronic transmission of controlled technology requires authorization just as physical transfer does.
How to Approach Software Classification Screening
Basic Workflow
Software classification screening follows these steps:
- Identify the subject: Clearly define the functions and specifications of the software to be exported or provided
- Cross-reference against list controls: Check for "program" references in each item of Appended Table 1 of the Export Trade Control Order
- Verify technical parameters: Determine whether encryption key lengths, processing speeds, precision levels, etc. meet control thresholds
- Document the determination: Record the rationale for the controlled/not controlled finding
Primary Areas Where Software Is Controlled
| Area | Examples of Controlled Items | Relevant Item No. |
|---|---|---|
| Encryption | Encryption algorithm implementations, cryptanalysis tools | Item 9 |
| Numerical control | Machine tool control programs, CAD/CAM software | Item 6 |
| Image processing | High-precision image recognition and analysis software | Item 10 |
| Simulation | Computational fluid dynamics, structural analysis, nuclear-related simulation | Items 2, 4, etc. |
| Telecommunications | Specific communication protocol implementations, spread spectrum technology | Item 9 |
| Information security | Intrusion detection systems, vulnerability analysis tools | Item 9 |
Encryption Regulations
Encryption is the area most frequently at issue in software export control. It is included in the Wassenaar Arrangement's controlled items and is regulated under Item 9 of Appended Table 1 in Japan.
Whether encryption is controlled depends primarily on:
- Type of algorithm: Symmetric-key, asymmetric-key, hash functions, etc.
- Key length: Encryption above certain key lengths may be controlled
- Purpose: Encryption used solely for authentication may be partially exempt
However, commercial encryption software (so-called "mass market" products) may be exempt from controls if certain conditions are met.
Cloud Services and Export Control
Technology Transfer via the Cloud
Technology provision through cloud services is a critical issue in modern export control.
If controlled technical data is uploaded to a cloud storage service and made accessible to overseas non-residents, the upload itself is interpreted as a "technology provision."
Key Considerations
Decisions regarding cloud-based export control hinge on the following factors.
Scenarios that are controlled:
- Storing controlled technical data on cloud storage accessible to non-residents
- Granting access to controlled software to employees at overseas offices
- Providing SaaS software that includes controlled encryption functionality
Scenarios that are not controlled:
- Access controls prevent non-residents from accessing the data
- Only publicly available technology is stored in the cloud
- The cloud service is merely a transport mechanism and the technology being provided is not controlled
CISTEC's Position
CISTEC has published guidance on export control for cloud computing services. The key principle is that the physical location of the cloud server is not the determining factor -- what matters is whether the person accessing the technology is a non-resident.
Open Source Software (OSS)
Open source software is generally considered "publicly available technology" and is therefore exempt from export controls. However, several caveats apply:
- Published source code: Source code accessible to anyone on platforms like GitHub constitutes publicly available technology
- Customized versions: Custom modifications or added functionality built on top of OSS may not qualify as publicly available
- Unpublished design information: Design documents, test results, and other unpublished materials generated during OSS development may be subject to controls
Practical Considerations
Internal Technology Management
Unlike physical goods, software and technical data can be copied and transmitted with ease. This necessitates the following management practices:
- Access control: Restrict access to controlled technologies to personnel with a legitimate business need
- Data classification: Classify internal technical data as controlled or non-controlled and enforce clear labeling
- Transmission management: Require an approval process before sending technical data via email or cloud
- Portable device management: Verify technical data stored on laptops and USB drives before overseas travel
Overseas Business Travel
When engineers travel overseas with laptops or smartphones containing controlled technical data, merely taking the device out of the country constitutes an export. Perform classification checks on stored data before departure and obtain necessary licenses.
Software Updates and Export Control
Updates and bug fixes for software already provided overseas may require new authorization as a technology provision, depending on the content. Verify in advance whether any update includes controlled functionality.
Streamlining Software Classification Screening
Software classification screening is demanding because it requires both technical understanding and legal interpretation. Products with encryption features or those potentially spanning multiple control categories are particularly complex.
TRAFEED (formerly ZEROCK ExCHECK) is an AI-powered tool that supports classification screening for a wide range of items, including software. When product specifications are entered, the system automatically cross-references them against list controls and presents the determination with supporting rationale. It covers encryption-related controls, making it applicable to the unique challenges of software screening. Compliance with METI standards ensures that screening records maintain credibility.
Summary
- Software and programs are regulated under both the Export Trade Control Order and the Foreign Exchange Order
- Classification screening evaluates technical parameters such as encryption key lengths and processing precision
- Cloud-based technology transfers are considered "provided" the moment non-residents can access them
- Open source software is generally considered publicly available, but customized portions may be controlled
- Overseas travel with laptops and software updates both require an export control perspective
- Access control, data classification, and transmission management form the practical foundation
More Articles in This Category
Export Control Fundamentals - Why Classification Screening Matters
An introduction to export control fundamentals: the regulatory framework, the necessity of classification screening, the difference between list-based and catch-all controls, and the penalties for violations.
Catch-All Controls Explained in Plain Terms
A clear explanation of catch-all controls: how they work, when they apply, and the practical steps for compliance. Includes a comparison with list-based controls.
Practical Guide to Classification Screening - Procedures and Common Challenges
A hands-on guide to the classification screening process, covering each step in detail along with the most common challenges companies face and how to address them.