The Bureau of Industry and Security (“BIS”) previously did battle with cloud computing in an advisory opinion it released in January 2009. Almost two years later BIS charges into battle yet again, and yet again there is no clear victor.
In the 2009 advisory opinion, BIS noted that the provider of cloud computing services was only providing a service and was not exporting data or technology. Only the customer of the service could be the exporter, and only the customer of the service would be in export hot water if the data or technology was transferred in violation of the Export Administration Regulations. This logic seemed a bit at odds with the normal concept that providing access to technical data to foreign nationals was an export, but let’s not trouble ourselves here with minor details. A sly little sentence dropped at the end of the opinion also reminded everyone that the Office of Foreign Assets Control (“OFAC”) might have concerns with the provision of cloud computing services to blocked persons or embargoed destinations even if BIS did not.
Now, two years later, BIS confronts the related and more difficult question of what cloud computing service provides ought to do about their own foreign national IT staff who might have access to controlled technology placed on the cloud by the service’s customers. Not to worry, says the opinion, because the cloud computing service provider isn’t an exporter and thus can’t be a deemed exporter:
Because the service provider is not an “exporter,” [it] would not be making a “deemed export” if a foreign national network administrator monitored or screened, as described above, user-generated technology subject to the EAR.
But the problem with this logic is that the person who gives a foreign national access to controlled technology is a deemed exporter even if he isn’t an exporter. That’s why they call it a “deemed” export.
Of course, none of this addresses the 900-pound gorilla in the room which is, of course, the user of the cloud service and its liability for using a cloud service where foreign IT personnel have access to the controlled data that the user may have placed on the cloud. And don’t think the problem starts and ends with cloud computing. The Internet, is also a cloud of sorts linking various servers together to permit transit of data to its final destination. Any of those servers may have foreign network administrators who could use packet sniffers to see controlled technical data. Worse yet, the routing servers may be located in foreign countries even when the sender and the receiver are both located in the United States.
What I think we’d like to hear is what BIS and DDTC think about this. Or maybe not.