Jan

12

Cloudy with a Chance of Fines

Posted by at 9:23 pm on January 12, 2010
Category: Technology Exports

Cloud ComputingAs enterprises began to confront the issues raised by cloud computing, this article on TMCnet is a good reminder that export issues may be some of the most intractable. Although some clouds, like Amazon’s EC2, provide servers in defined locations, other cloud providers, Google notably, are more secretive about where their clouds are located or on which clouds user data is stored. If ITAR-controlled technical data or CCL-controlled technology is stored by a U.S. company on a cloud outside the United States, an export has occurred. If no license has been obtained it is safe to say that this is going to be a cloud without a silver lining.

BIS did issue an advisory opinion in January 2009 on cloud computing. The advisory opinion was requested by an unnamed provider of cloud computing service and fails to address the export issues relating to users of such cloud computing services. In the advisory opinion, BIS stated, among other things, that the provision of cloud computing services is not an export subject to the EAR and that the cloud provider is not considered to be the exporter of any data that users place on and retrieve from the cloud.

The TMCnet article focuses unduly on the location of the server while neglecting that even if the cloud is wholly within the United States an export could occur if foreign nationals employed by the cloud provider in the United States have access to controlled technology or technical data. The same article also neglects to point out that export issues are raised in other Internet contexts. If an email contains controlled technology or technical data an illegal export will have occurred if the email transits a foreign server even if the email is sent from a server in the United States and is addressed to a server in the United States. The same issue could exist for VOIP voice communications if the VOIP provider utilizes any servers located outside the United States.

The BIS advisory opinion shows a laudable effort to understand and accommodate issues posed by cloud technology, at least from the perspective of the cloud provider. Hopefully, it will show the same practical considerations for users of cloud technology. Whether OFAC and DDTC will demonstrate similar understanding of the technology remains to be seen.

Permalink

Bookmark and Share

Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

3 Comments:

Interesting to see how Personal Information will be managed. I would like to prevent my insurance company from sending my details outside of the European Union without my consent.

Comment by Anna Madejski on January 13th, 2010 @ 3:12 am

Perfect example of why 20th Century export control laws are woefully inadequate to handle 21st Century technologies.

Comment by John Q. Citizen on January 13th, 2010 @ 11:17 am

I just came across this story about Google’s new contract for services with the City of Los Angeles. One of the contract terms specifies that Google will “guarantee that the data remains in the contiguous 48 states.”

I wonder if this feature is available for companies as well as governments? Maybe Google is trying to address the “cloud issue” after all. The full story is here:
http://ow.ly/1yNE1

Comment by Tom Reynolds on April 15th, 2010 @ 9:58 am