Browser Export Rules: Is SGC Still Okay?

TL;DR

The original SGC (Software Guidance Code) for browser export controls is outdated. Modern browsers are complex and often include features that fall under stricter regulations, even if you’re just distributing a standard browser. You need to assess your specific situation carefully, considering the origin of the software, its functionality, and where it’s being exported. This guide explains how.

Understanding the Problem

Export controls restrict the distribution of certain technologies to specific countries or individuals. Browsers are often caught up in these rules because they include encryption, communication protocols, and other sensitive features. The old SGC was based on simpler browsers; today’s versions are much more complex.

Step-by-Step Guide

1. Identify the Browser’s Origin: Where did the browser software come from? Is it a commercial product (Chrome, Firefox, Edge)? An open-source project (Chromium)? A custom build?
   • Commercial browsers usually have export compliance handled by the vendor.
   • Open-source projects require you to assess compliance yourself.
   • Custom builds *always* require a full assessment.
2. Determine Key Features: What functionality does the browser offer? Consider these:
   • Encryption: Does it use strong encryption (TLS 1.3, etc.)? This is almost always controlled.
   • Communication Protocols: Does it support protocols like SSH or VPNs? These are often restricted.
   • Remote Access/Control: Can the browser be remotely accessed or controlled?
   • Data Collection: What data does the browser collect, and where is that data stored? (Privacy features can have export implications)
3. Check Export Control Classification Numbers (ECCNs): The US government assigns ECCNs to technologies. These numbers determine which countries are restricted.
   • Use the BIS ECCN Search Tool to find relevant ECCNs for browser components.
   • Commonly relevant ECCNs include 5A002 (Cryptography), 5D001 (Telecommunications and Network Equipment) and potentially others depending on features.
4. Assess Your Export Destination: Where are you exporting the browser to?
   • Check the BIS Country Chart for restrictions on your destination country.
   • Pay attention to embargoed countries, sanctioned entities, and specific end-users.
5. Consider End-Use: What will the browser be used for?
   • Even if a country isn’t generally restricted, certain end-uses (e.g., military applications) may be prohibited.
6. Licensing Requirements: If your export is controlled, you may need to obtain an export license.
   • Apply for a license through the BIS SNAP-R system.
   • There are exceptions (e.g., encryption commodity number – ECCN 5A002) that may allow you to export without a license, but these have strict requirements.
7. Documentation: Keep detailed records of your compliance assessment and any licenses obtained.
   • Document the browser’s origin, features, ECCNs, destination, end-use, and licensing decisions.

Specific Considerations for Chromium

If you’re building a browser based on Chromium (e.g., Brave, Vivaldi), the situation is more complex.

• Chromium itself has export restrictions. You are responsible for ensuring your build complies with these rules.
• Any modifications or additions to Chromium will also need to be assessed.

Tools and Resources

• BIS (Bureau of Industry and Security): The primary US government agency responsible for export controls (https://www.bis.doc.gov).
• ECCN Search Tool: Find the correct ECCNs for your technology (https://www.bis.doc.gov/classification).
• Country Chart: Check restrictions on specific countries (https://www.bis.doc.gov/policyguidance/countrycharts).