Jun

26

Vladimir Wants To See Your Source Code


Posted by at 4:08 pm on June 26, 2017
Category: BISEncryption

Vladimir Putin by Kremlin.ru [CC BY 3.0 (http://creativecommons.org/licenses/by/3.0)] via https://commons.wikimedia.org/wiki/File%3AVladimir_Putin_12019.jpg [cropped]According to this Reuters report, the Russians are demanding from U.S. companies the right to view source code of software that these companies wish to sell in Russia. The software at issue includes software with encryption capabilities, anti-virus software and firewalls. You don’t have to be a rocket (or computer) scientist to figure out why Vladimir and his spy master buddies want to look at such software. They are looking for vulnerabilities that would allow the Russians to continue to hack into U.S. networks and infrastructure. Surprisingly, Reuters suggests that some big names in U.S. software are actually complying.

That’s surprising because, as many readers probably know, handing over the source code of programs with encryption functionality to the Russian government requires a license from the Bureau of Industry and Security (“BIS”). Normally, I would expect BIS, at least for the moment, to grant such a license when hell freezes over or, as Vladimir himself might say, когда рак на горе свистнет (“when crawfish whistle in the mountains.”)

Here’s why a license is necessary. First, keep in mind that BIS controls the export of software with encryption functionality. This includes software that does not contain any encryption algorithms but calls those algorithms from an external source to perform the actual encryption. Although the language of the EAR is far from making it clear, BIS makes it quite clear here on its website:

Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.

Most programs, in fact, call encryption from the operating system. Some browsers, such as Firefox, incorporate their own encryption, and programs may utilize browser encryption when sending and retrieving date from the Internet. In any event, the vast majority of software has some encryption functionality either by using the operating system or native encryption in certain browsers.

Second, source code does not fall under EAR section 740.17(b)(1) and is not eligible for self-classification and export under License Exception ENC. Rather source code that is not publicly available falls under 740.17(b)(2)(i)(B). Items that fall within (b)(2), such as source code, can be exported thirty days after the filing of a classification report to “non-‘government end users’ located or headquartered in a country not listed in supplement no. 3.” See Section 740.17(b)(2)(i). As a result, license exception ENC does not authorize exports to government end-users outside Supplement 3 countries. As Russia is not a Supplement 3 country, a license is required to provide source code with encryption functionality to the government of Russia.

I have no way of knowing whether the U.S. companies that have let Vlad peek at their source code bothered with, or even knew of the requirement for, licenses.   And although not so long ago, BIS would probably have said “nyet” to any such license request, it is altogether possible that BIS is now saying “da” instead.   In any event, companies should think long and hard before spilling their source code for software with encryption functionality to the Russkis without getting a license from BIS first.

 

Permalink Comments (0)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

22

The Chewbacca Defense: Export Edition


Posted by at 5:26 pm on June 22, 2017
Category: Arms ExportCriminal PenaltiesDDTC

Human Cannonball by Laura LaRose [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/6shAzP [cropped and processed]The decision in United States v. Burden, decided back in November of 2016, is not breaking news, but as I’ve seen several commentaries on it recently, I thought I might weigh in.  The defendants in that case argued that they had not violated the Arms Export Control Act because — get this — ammunition magazines and grenade launcher mounts, according to the defendants, are not defense articles. The defendants argued that these items are not defense articles because they can also be used with airsoft guns.  Accordingly they claimed the magazine and mount are not defense articles as defined in section 120.4 of the International Traffic in Arms Regulations and no license was required for their export.   This is pretty much like arguing that cannons are not defense articles because you could use them in circuses to shoot people into trampoline nets.

For reasons that are not clear, this led the District Court to actually consider whether these items were defense articles or not as defined in section 120.4.  That section deals with commodity jurisdiction determinations and had no relevance to the case under consideration.  The question properly before the court was whether the grenade mounts and ammunition magazines are on the United States Munitions List (“USML”), not whether they are defense articles.

If the items are on the USML, they are by definition defense articles.   The very first sentence of the USML makes this crystal clear:

U.S. Munitions List. In this part, articles, services, and related technical data are designated as defense articles or defense services pursuant to sections 38 and 47(7) of the Arms Export Control Act.

This means that the only real question the court had to answer was whether the grenade mount and ammunition magazine were described in Category I(h) of the USML which covers “[c]omponents, parts, accessories and attachments” of firearms described in Category I, subparts (a) through (h). It doesn’t matter that these items can be used on airsoft or paintball guns any more than it matters that a cannon can be used in a circus act or a performance of the 1812 Overture. Certainly the magazine meets the definition of a component and the mount meets the definition of an attachment and that, pretty much, should have been the end of it.

Even so, the court decided that the items were defense articles not because they were on the USML but because an expert witness from DDTC said that they were defense articles. The expert in question was Robert Warren, formerly Division Chief of the Plans, Personnel, Programs, and Procedures Division of DDTC, an odd choice in comparison to, say, the division chief for the division that handles licensing for firearms.  In any event, the court noted that Warren testified that “a defense article as we termed it is anything that has a military significance or military application.”  And that, according to the court, settled the question as to whether the mount and the magazine were defense articles.

Of course, the idea that something is a defense article if it has a military application is the equally stupid mirror argument to the defendants’ nonsensical claim that something is not a defense article if it has a non-military use.  Under the standard articulated by Warren, a water canteen purchased at a camping store or a pair of camo pants purchased from a clothing store would be defense articles.

As noted above, there was no need for anyone to dive down this rabbit hole and figure whether the mount and the magazine were defense articles.  If they were described by Category I(h) as attachments and components of firearms then they were defense articles.  End of story.  No further proof as to whether they were defense articles was necessary.   And, given that the defendants did not appear to dispute that these items were components and attachments of firearms but only that they were defense articles, it is not unfair to accuse them of raising the fabled Chewbacca defense.

Photo Credit: Human Cannonball by Laura LaRose [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/6shAzP [cropped and processed]. Copyright 2009 Laura LaRose

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

20

Shedding Light on Gun Exports on the Dark Web


Posted by at 9:57 pm on June 20, 2017
Category: Arms ExportCriminal PenaltiesDDTC

Cobray M-11 Pistol via https://www.gunsamerica.com/UserImages/199/917418641/wm_md_10452136.jpg [Fair Use]
ABOVE: Cobray M-11 Pistol

Two geniuses in Georgia hit on what they must have imagined was the perfect crime: sell guns to foreigners anonymously on the dark web; get paid anonymously in Bitcoins; make a billion dollars; spend the rest of their lives watching extreme wrestling and tractor pulls on cable TV. Except, of course, what really happened means that their cable TV viewing options over the next few years are likely to be extremely limited.

Even if, as the dog in the famous cartoon tells the other dog, “on the Internet nobody knows you’re a dog” (or a gun smuggler), you can’t stay on the Internet forever. Not surprisingly, even though the two defendants tried to cloak themselves behind the dark web and supposedly anonymous cryptocurrency, they still had to leave their computers, buy the guns, take them to the post office and ship them to real people. And that, as they say, was all she wrote.

According to the indictment, the two defendants, Gerren Johnson and William Jackson, who used the pseudonyms CherryFlavor and CherryFlavor_2, first captured the attention of authorities when a 9mm pistol was “recovered” in the Netherlands from a buyer who said he bought the gun from dark web vendor named CherryFlavor. Shortly thereafter Australian customs recovered another pistol hidden in a karaoke machine (see, nothing ever good comes from karaoke), and the Australian buyer also identified his seller as CherryFlavor.

And here’s how the feds figured out who was hiding behind the CherryFlavor screen name: according to the indictment, Johnson bought an unusual gun, a Cobray Model M-11 Georgia Commemorative 9mm pistol from a dealer in Georgia. Two days later he posted the gun for sale on his dark web site. Now the feds had the link they needed: a non-virtual gun dealer making a real sale in the real world to a real person of a real gun that then shows up on CherryFlavor’s page. Game over.

The interesting thing is what Messrs. CherryFlavor are charged with in the indictment. The first count is operating an unregistered firearms business. The second and third counts are for exports of two guns in violation of the anti-smuggling statute, 18 U.S.C. 554, which forbids exports from the United States “contrary to any law or regulation of the United States.” Oddly, the law said to be violated was not the Arms Export Control Act but 18 U.S.C. § 922(e) which prohibits shipping a firearm without disclosing to the shipper that a firearm is being shipped.

So why aren’t the defendants charged with what appears to be a clear violation of the Arms Export Control Act? We know that prosecutors have argued, not very persuasively, that the knowledge requirement for violations of section 554 is just an intentional export without any requirement that the defendant knows the intentional export is in violation of law. But here, if the allegations of the indictment are true, the case that the defendants knew what they were doing is, as they say, a slam dunk. They sold guns to foreign customers using pseudonyms on the dark web in exchange for Bitcoins and sent the guns hidden in karaoke machines. Criminal intent does not get much clearer than that. My guess is that there is more going on here than Dumb and Dumber selling guns on the dark web. Charges like this suggest that the prosecutors have negotiated with the defendants in exchange for some broader cooperation. If that’s true, it will be interesting to see what happens next.

UPDATE:  Commenter “Name” makes a good point: because the case is in the 11th Circuit, the prosecution has to deal with a stricter intent requirement and has to show that the defendants knew that an export license was required.  See United States v. Macko, 994 F.2d 1526 (11th Cir. 1993).  The defendants’ concealment of the gun in a karaoke machine shows a knowledge of illegality but, perhaps, not necessarily a knowledge of a license requirement under the AECA.  It was for this reason, the commenter said, that the charge was under 18 U.S.C. § 554, which might not be subject to the stricter intent requirement.  Commenter “Name” used a VPN to conceal his/her identity and location, so I suspect this is a person who has some actual knowledge of why the government charged this case the way it did.

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

16

New Cuba Travel Rules: No Place to Stay, No Place to Eat, Nothing to Do While There


Posted by at 3:41 pm on June 16, 2017
Category: Cuba SanctionsOFAC

Women with Cigar by Daniele Febei [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/7cPMmY [cropped and processed]

President Trump today announced new sanctions on Cuba, effectively rolling back many, if not most, of the changes made by the Obama administration to loosen the sanctions.  The most significant changes will make travel to Cuba by U.S. citizens to Cuba more difficult, if not virtually impossible.

The executive order signed by Trump has not yet been released, but FAQs on the new policy have been posted to OFAC’s website. The biggest change will be with respect to individual people-to-people travel that was permitted starting March 15, 2016. Under the new rules, educational travel under the people-to-people exception will only be permitted if organized “under the auspices of an organization that is subject to U.S. jurisdiction that sponsors such exchanges.” What organizations will meet this test is not clarified in the new FAQs.

OFAC says that the individual people-to-people license remains in effect until OFAC issues new regulations, but there is a wrinkle, actually more a tectonic fault than a wrinkle. If you  purchased a ticket or hotel room before today, you can rely on the old license even after the new rules are formally adopted by OFAC. The flip side of this, however, is that you make individual travel arrangements after today at your own risk.  This is because in that case if the new rules are adopted before you complete your travel to Cuba, you’re out of luck and the individual general license no longer applies. In the worst case scenario, if the rules are changed while you’re in Cuba and you have made your travel arrangements after today, you will be in violation of the new rules unless you can instantly teleport yourself off the island.

The other change that will significantly impact travel is the prohibition on all transactions by U.S. travelers in Cuba with “entities related to the Cuban military, intelligence, or security services.” This is directed at Grupo de Administración Empresarial, S.A. (“GAESA”) which controls a large portion, probably around 60 percent, of the Cuban economy and most of the tourist sector. Almost all of the shops, hotels and restaurants in Old Havana are run by GAESA, as are most of the hotels elsewhere in Cuba. U.S. tourists who buy a bottle of cold water from a supermarket run by GAESA anywhere on the island will risk getting in hot water with OFAC when they return home.

This obviously poses problems for every traveler in Cuba whether they are on a specific license or are traveling under any of the twelve general license categories. Certainly one cannot expect GAESA to warn U.S. tourists or to plaster its name over all of its properties, hotels, restaurants, gas stations, supermarkets and stores. Never fear, however — the FAQs say that when the new regulations are adopted the State Department will publish a list of GAESA entities. So, all tourists will have to do is carry the twenty-page list around with them and check the list before ordering a dacquiri, buying a cigar, checking into a hotel, or eating in a restaurant, or doing anything else on their travels. (That sounds like fun.)

You might think that private rentals, like those handled by AirBNB, will be spared the GAESA taint. But you would be wrong. VaCuba, which handles remittances for AirBNB, is owned by GAESA.

The good news is this: if you can somehow manage to get to Cuba under the new rules and find a legal place to stay, you can still buy cigars and bring them back with you. At least, if you haven’t bought them from a store owned by GAESA.

Photo Credit: Women with Cigar by Daniele Febei [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/7cPMmY [cropped and processed]. Copyright 2009 Daniele Febei

Permalink Comments (5)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Jun

15

Delaware Bill Proposes Mandatory OFAC Screening: What Could Go Wrong?


Posted by at 1:37 pm on June 15, 2017
Category: OFACSDN List

Rehoboth_Boardwalk

I love Delaware. I’ve spent many days on the Delaware beaches. Even so, recent legislation proposed in the Delaware House deserves ridicule and I’m willing to do that, even if that means I’m banned from ever having another slice of Grotto Pizza or bucket of Thrasher’s Fries.

The bill in question, House Bill No. 57, prohibits the Delaware Secretary of State from registering LLCs where the members are subject to OFAC sanctions.  It also requires registered agents to screen members to avoid presenting applications with sanctioned members.

The bill is the brainchild of the Delaware Coalition for Open Government  (“DelCOG”), which after untold hours researching Delaware LLCs, has discovered two (yes, two) cases where Delaware has registered LLCs on the OFAC SDN List. The companies in question are 200G PSA Holdings, LLC and Agusta Grand I, LLC, which were designated as Specially Designated Narcotics Traffickers by OFAC on February 13, 2017. Both companies were registered in Delaware, respectively, on January 29, 2013, and October 28, 2014. Because the designation occurred after the companies were registered in Delaware, the proposed legislation would not have had any impact on the registration of these companies.

DelCOG and the bill’s drafters seem to be unaware that SDNs will get registered in Delaware only when their designation occurs after registration. If it occurs before, the companies will be unable to pay their fees because banks will almost certainly block all payment of registration and agent fees. So the proposed legislation does not really accomplish its intended purpose at all.

What is does do is create is ample opportunity for confusion. Here’s some language from the bill:

The Secretary of State shall neither certify for formation or domestication nor register as a limited liability company any citizen, group, organization, or government of a listed Sanctioned Nation in the Active Sanctions Program of, or any Specially Designated National listed as such by, the Office of Foreign Assets Control (OFAC) of the United States Department of the Treasury when federal law is violated thereby.

The phrases “listed Sanctioned Nation in the Active Sanctions Program” is not defined in the proposed bill. This is an apparent reference to this web page on the OFAC site which lists countries subject to comprehensive sanctions like Syria and Iran but also countries with regime-based sanctions, such as Iraq and Venezuela, where only designated individuals and entities are affected. This sets up the possibility that when anyone in Venezuela (who is not an SDN) is a member of an LLC seeking registration the Delaware Secretary of State will have to decide whether this violates federal law. The same will occur if the member is a U.S. permanent resident that is also an Iranian citizen. Neither of these instances would violate federal law, but who knows what the Secretary of State of Delaware will decide.

The proposed legislation also wanders into CFIUS territory with equally dubious results. The bill requires registered agents to determine if the purpose of the proposed LLC conflicts with the “prohibited or restricted investment … requirements” of Exon-Florio, 50 U.S.C. App. § 2170. In such cases, the registered agent cannot file the registration application on behalf of the LLC and must advise them to file a CFIUS notice. Apparently, the drafters of the bill are not aware that the CFIUS notice process is voluntary.

This bill amply demonstrates the problems that arise when states take it upon themselves to interpret and enforce federal law.

Photo Credit: Rehoboth Boardwalk by Clif Burns Copyright 2014 Clif Burns. All rights reserved.

Permalink Comments (0)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts |