Export Control for Software
Other relevant information about software, licensing and guidelines
This web page gives you initial information how to proceed and what to consider in case you are exporting a software outside Switzerland/Lichtenstein or when you distribute/transfer software to certain nations, entities (e.g. companies or organizations) or individuals listed for embargoes.
General Information
The Goods Control Act and the Embargo Act form the basis of export control and these Acts regulates the exchange of items for war materials and items for civil and military use (dual-?use items), and list also the nations, nationality, entities or individuals to which the item can not be exchanged, exported or re-exported.
Dual-use items are items that have a primary commercial/civil application, but have the potential also for military or weapon applications.
All items listed in the external page Goods Control Act, the external page Goods Control Ordinance (GCO) or their Annexes are subject to authorization by the State Secretariat for Economic Affairs (SECO) when exported/re-exported or exchanged, or exchanged with listed nations, entities or individuals, and are generally referred to as "controlled items".
Items include products, technologies (information and knowledge) and software.
Like all other items, software can not be freely exchanged with others (i.e. mainly in cross-borders export or re-export) if the software is a controlled item, i.e. is an item in the lists of the State Secretariat for Economic Affairs (SECO). Moreover, ETH Zurich is obliged to comply with the export control laws and regulations in the exchange of such items.
If the exchange of controlled items involves items of U.S. origin an U.S. authorization for the export/re-export may also be required.
General Recommendation
Whenever you place software/program code developed at ETH Zurich for the first time on an internet page, public platform or distribute software via an app portal (e.g. Google Play, Apple Store, etc.) and you cannot/won't control who and from where someone downloads your software, you should assume that the software will be exported beyond the borders of Switzerland/Lichtenstein or that it could be used/downloaded by nations, nationalities, entities or individuals subject to embargoes.
In such case we recommend to verify in advance whether you are allowed to distribute the software or not according to the current export control law and whether your software is a controlled item.
Certain categories of software like software for security information or software for surveillance/control of the internet and mobile networks are controlled items and shall be verified in all cases whether an authorization is needed. The complete list of software categories for which we recommend an in-depth examination is below.
Important!
- It is responsibility of the professor(s) to verify whether a software is listed as controlled item and if an authorization from the SECO is required.
- Please consider also, that in case a controlled software is embeded or implemented in hardware, for example as firmware or in a FPGA, automatically also the hardware is a controlled item.
Open Source Software and Export Control
Open Source Software is usually distributed unrestricted over public platforms like GitHub, SourceForge or GitLab (on premise) to anyone, and you should assume that the software is exported outside the border of Switzerland/Lichtenstein.
When you distribute software for the first time (i.e. that has never been distributed or exported before) and the software is on the export control list, please note that such software needs an export authorization from the State Secretariat for Economic Affairs (SECO) prior to distribute the software under an Open Source License on publicly accessible platforms.
It is responsibility of the professor(s) to verify whether a software is listed as controlled item and an authorization from the SECO is required.
For more information, please contact the protected page Export Control.
List of "catch-all" software categories for which an authorization is mandatory
We warmly recommend to verify in advance with the protected page Export Control whether an export authorization is needed in case your software is listed in the below categories:
Software for Information Security
Defintion of Information Security is "all means and functions ensuring the accessibility, confidentiality or integrity of information or communications, including the means and functions intended to safeguard against malfunctions. This includes ?cryptography?, ?cryptographic activation?, ?cryptoanalysis?, protection against compromising emanations and computer security. This apply even if the information security means and functions are components or functions of other items".
If you have any doubts whether your software may fall under this category, or you need further information, please contact the protected page Export Control.
Software for Surveillance/Control of the Internet and Mobile Networks
On 25 November 2020 the Swiss government has released a regulation enacting the control of items that specifically have the characteristics to be used for repression against peoples or groups of peoples. The items that have these characteristics and are considered controlled items are listed in the Annex of the "external page Ordinance on the export and brokerage of goods for Internet and mobile phone surveillance" (only in german).
Moreover, the EU has also further tightened the export control regulation for the development, production and use of such items. In order to address the risk that certain previously non-listed cyber-surveillance items exported from the EU might be misused by persons complicit in or responsible for directing or committing serious violations of human rights or international humanitarian law, the EU decided on September 2021 that it is appropriate to place the export of such items under control. Associated risks relate, in particular, to cases where cyber-surveillance items are specially designed to enable intrusion or deep packet inspection into information and telecommunications systems in order to conduct covert surveillance of natural persons by monitoring, extracting, collecting or analysing data, including biometrics data, from those systems.
‘cyber-surveillance items’ means dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.
This definition generally includes software that is capable of facial recognition or that can potentially be used for facial recognition.
If you have any doubts whether your software may fall under this category, or you need further information, please contact the protected page Export Control.
Are there exemptions for software from the export control?
Not really! According to Swiss and EU export control laws, only three categories of software are exempted from the export control:
- Generally available software;
- Object code with minimal requirement;
- Software in to public domain (applies only to software already distributed by others).
These exemption are almost all not applicable to software developed at ETH Zurich. Why and for more information, please look at the definitions below.
Not only! Certain categories of software do not fall explicitly under these exemptions. Software for Information Security (please see defintion above) listed in the GCO (category 5, part 2) is considered controlled software and must be authorized in any circumstances by the State Secretariat for Economic Affairs (SECO) to be exported.
Defintion - Generally available software
"Generally available software" means: Software sold from stock at retail selling points, without any restriction,
- by means of over-the-counter, mail order, electronic or telephone call transactions,
- and are designed for installation by the user without further substantial support by the supplier.
Important! This exemption does not apply to Software for Information Security listed in the GCO under category 5, part 2 (please see defintion above).
Please contact the protected page Export Control if you have any doubts.
Defintion - Object code with minimal requirement
"Object code with minimal requirement" means: The minimum necessary ?object code? for the installation, operation, maintenance (checking) or repair of those items whose export has been authorised.
?Object code? means an equipment-executable form of a suitable description of one or more processes (source code) which has been compiled by a programming system.
Important! This exemption does not apply to Software for Information Security listed in the GCO under category 5, part 2 (please see defintion above).
Please contact the protected page Export Control if you have any doubts.
Defintion - In the public domain
"In the public domain" means: Software that has been made available for distribution and redistribution without any restrictions.
Example: Software is in the public domain when it has already been distributed (published) in media such as books, journals or the internet.
Note: Software that is on the export control lists and is intended to be published by ETH Zurich employees for the first time requires an export authorization from State Secretariat for Economic Affairs (SECO).
Please note also the information under "Open Source Software and Export Control" above. If you have any doubts please contact the protected page Export Control.
Dual-use items: category and groups
Dual-?use items have a primary commercial/civil application, but have the potential for military or weapon applications.
If you have developed a software for an innocuous application or purpose, but the software may be used in military, weapon or in other controlled fields, your software may require authorization in case you want to distribute the software to others. For example, a software capable to clearly identify or recognize details of flowers from photos or videos might be able to identify also faces of individuals and for this purposes might be a controlled software and need an authorization when distributed outside the borders of Switzerland/Lichtenstein or to specific nations/entities or individuals.
All dual-use items lists are divided into ten broad categories as follows:
0 - Nuclear material, facilities and equipment
1 - Material, chemicals, microorganisms and toxins
2 - Material processing
3 - Electronics
4 - Computers
5 - Telecommunications and information security
6 - Lasers and sensors
7 - Navigation and avionics
8 - Marine
9 - Aerospace and propulsion
Within each category, controlled items are divided into five groups as follows:
Group A – Equipment, assemblies and components
Group B – Test, inspection and production equipment
Group C – Material
Group D – Software
Group E – Technology
Thus, even though the categories (0 to 9) do not explicitly refer to software, the "Group D - Software" is always included in each category (0 to 9).
The detailed lists can be found here: protected page Export Control
If you think that your software is within a controlled category, please contact the protected page Export Control for further advise.
For any additional information regarding software licensing to third parties, please contact the IP & Licensing Group.