Archive for the ‘BIS’ Category


Aug

25

Skateboarding on Thin Concrete


Posted by at 9:02 pm on August 25, 2015
Category: BISCuba SanctionsOFAC

Santa Monica Skateboarder by Clif BurnsAn article in today’s Washington Post may be attracting some attention over in the halls and cubicles of the Office of Foreign Assets Control (“OFAC”).  It describes in some detail how Miles Jackson, a local DC man and skateboarding enthusiast, appears to have been skating around the U.S. embargo on Cuba to deliver skateboards to Cuba and to spend time with his skateboarding buds in Havana.

Apparently the skateboarder became interested in Cuban skateboarding while studying abroad in Cuba during college.  So far, so good; nothing wrong with that.

The dicey stuff starts after he returns to the United States and wants to keep up with his skateboarding buddies in Cuba and send them real skateboards, notwithstanding the travel and export bans for Cuba.

Jackson and [a friend] Bradley began traveling to Cuba that September to drop a few boards off. Because direct travel from the United States was limited, their first trips went through Toronto, Bradley said.

That sentence probably should be re-written to remove the word “limited” — “Because direct travel from the United States was illegal, their first trips went through Toronto.” Of course, direct travel would be legal with a license, but then you wouldn’t go through Canada. Of course, maybe Jackson did get an OFAC license to go skateboarding in Cuba and decided to take the long route through Toronto.

On top of that, Jackson started exporting skateboards to Cuba:

Jackson … regularly travels with up to 50 skateboards at a time. He and his friends, through their nonprofit organization Cuba Skate, have ferried more than 200 skateboards in the past five years to aspiring skaters in the island country.

Of course, that would be okay if licensed, but there is no indication that such licenses were obtained. Another possibility would be export pursuant to BIS License Exception GFT. But that covers parcels addressed to an individual containing quantities normally given as gifts; it does not cover carrying 50 skateboards to Cuba through Canada if that is what happened.

Now Jackson wants to fix up the skateboard parks in Havana. He and some friends

plan to travel again to Havana in September, when they hope to start an ambitious renovation of the country’s only official skatepark, El Patinodromo, on the outskirts of the city. During the rainy season, the park floods, and the metal ramps and rails have begun to rust.

With the embargoes relaxed, Jackson hopes to replace the aging ramps and rails over five to eight weeks, pending permission from the State Department.

The State Department? Really?? Apparently the editors at the Washington Post (like their colleagues at the Wall Street Journal) must also be on vacation.

Permalink Comments (0)

Bookmark and Share



Jul

27

Don’t Believe Everything You Read in the Newspaper


Posted by at 11:32 am on July 27, 2015
Category: BISCriminal PenaltiesIran Sanctions

Republian Herald HQ via Google Maps [Fair Use]

From the Republican Herald (Pottsvile, PA) story on a guilty plea by Falcon Instrumentation and Machinery FZE in connection with an attempted shipment by Pennsylvania-based Hetran, Inc. of a bar peeling machine to Iran:

Federal prosecutors allege the machine, valued at more than $800,000 and weighing more than 50,000 pounds, has both military and civilian uses, which meant Hetran could not ship it to Iran without obtaining a license from the U.S. government. The machine is used in the production of high-grade steel, which is used in making automobiles and aircraft parts, according to prosecutors.

As astute readers of this blog will no doubt already know, U.S. companies like Hetran can’t ship anything at all (including EAR99 items) to Iran without a license or an applicable exception. But before we jump down the throat of a poor reporter in Pottsville, let’s think about what likely happened. In doing that, realize first that local reporters like DOJ press releases more than cats love catnip. Just rewrite it a little and push send and the day’s work is done.

And, indeed, as suspected there is a DoJ press release and it says this:

Under U.S. law and regulations, American companies are forbidden to ship “dual use” items (items with civilian as well as military or proliferation applications), such as the peeler, to Iran without first obtaining a license from the U.S. Government.

Sigh. I realize the export law and economic sanctions are a somewhat complicated area of law, but it does not seem unreasonable to suggest that the government employees who are charged with sending people to jail for export violations at least make an effort to understand the laws that they enforce.

[Note: I’m on vacation this week, so this is the last post for this week; normal posting resumes next week.]

Permalink Comments Off on Don’t Believe Everything You Read in the Newspaper

Bookmark and Share



Jul

23

BIS Amends EAR to Remove Cuba as a State Sponsor of Terrorism


Posted by at 3:59 am on July 23, 2015
Category: BISCuba Sanctions

Cuba Capitole by y.becart(Own work) [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/yoh_59/13697566663[cropped]On Wednesday, the Bureau of Industry and Security amended the EAR to reflect the removal of Cuba from the list of state sponsors of terrorism. Somewhat surprisingly, the impact of this removal is much less than might be imagined.

Of most importance, even though Cuba is no longer on the list of State Sponsors of Terrorism, all items exported to Cuba will still either need a license or an applicable license exception. The biggest change is that, by removing Cuba from the E:1 country group, a few license exceptions relating to countries in that group will no longer apply.

First, certain aircraft (principally private civil aircraft not operating under certain FAA carrier certificates) will be able to use License Exception AVS for temporary sojourns to Cuba. Second, certain encryption items that were excluded from being taken by travelers to Cuba in their luggage will now be covered by License Exception BAG. Third, License Exception RPL can now be used to export replacement parts to Cuba for explosive detection equipment and concealed object detectors lawfully exported to Cuba.

If the change in RPL causes you to raise your eyebrows — explosive detection equipment and concealed object detectors in Cuba?! — settle down and take a deep breath. This is just CCL-ese for the stuff they use in airports to screen you and your luggage before you get on the plane. Nobody wants the real terrorists to target planes flying from Cuba, particularly now that they will have more Americans on them.

Permalink Comments Off on BIS Amends EAR to Remove Cuba as a State Sponsor of Terrorism

Bookmark and Share



Jun

19

The Ostriches and the Kookaburra: A Fable for Our Time


Posted by at 8:38 am on June 19, 2015
Category: BISCriminal Penalties

Ostrich, Wainstalls by James Preston [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/jamespreston/8485895143[cropped]

Two austere ostriches, Osgood and Osbad, who lived near an old gum tree somewhere in the Australian outback, ran a successful business buying cattle prods made by Cow Poke, Inc., located in Kankakee, Illinois, and selling them to cattle farmers in Australia. One day they received an order from the kookaburra who lived in their old gum tree for one of their cattle prods. He even offered cash in advance and said that he would have many other orders in the future.

Osgood looked quizically at the kookaburra and wondered why a kookaburra might need a cattle prod, but decided not to ask. As it was an unusually warm afternoon, he decided to cool off by burying his head in the sand.

Osbad, dreaming of future orders and hoping to buy a bus trip to Perth for a holiday weekend, asked the kookaburra to hand over the money and promised to bring him a cattle prod right after he paid the money, which he did.

“Don’t you wonder,” said the kookaburra, “what on earth I could possibly do with a cattle prod?”

“No!” said Osbad, “I DO NOT!! It’s quite hot and I think I’ll join my mate Osgood and cool off by burying my head in the sand.”

“Actually,” said the kookaburra, “I’m selling them to my customers in Iran,” but by the time he had said the word “Iran,” Osbad’s head was completely covered with sand and he couldn’t hear a word that the kookaburra was saying.

When the Cow Poke Cattle Prods were discovered in Iran, investigators for the Bureau of Industry and Security (“BIS”) traced them back to Osgood and Osbad. The Australians served a provisional arrest warrant on the two ostriches who were subsequently extradited to the United States for trial. Once the jurors heard that Osgood and Osbad buried their heads in the sand, it was all over for poor birds, and they were convicted and sentenced to 6 years in a maximum security prison.

On appeal to the Seventh Circuit, Judge Posner upheld the conviction of Osbad and reversed the conviction of Osgood. He noted

There is no evidence that suspecting he might be [helping the kookaburra sell cattle prods to Iran, Osgood] took active steps to avoid having his suspicions confirmed. Suppose [the kookaburra] had said to him “let me tell you [where the cattle prods are really going],” and he had replied: “I don’t want to know.” That would be ostrich behavior (mythical ostrich behavior—ostriches do not bury their heads in the sand when frightened; if they did, they would asphyxiate themselves). An ostrich instruction should not be given unless there is evidence that the defendant engaged in behavior that could reasonably be interpreted as having been intended to shield him from confirmation of his suspicion that he was involved in criminal activity. [This is exactly what Osbad did, which is why we reverse for Osgood and uphold the conviction for Osbad.]

Osbad remained in maximum security prison, while Osgood was allowed to return to the outback in Australia. On his return, Osgood found a letter from BIS indicating that it had entered a thirty-year export denial order and fined him $250,000 for the sale of the cattle prods to Iran, noting that while ignoring red flags, without more, might save you from jail, it would not save you from the wrath of BIS.

Morale: If you’re going to bury your head in the sand, do it before the kookaburra sings.

The Seventh Circuit opinion in United States v. Macias, which I adapted here, makes clear that simply ignoring red flags is not enough to support the criminal intent necessary for  a conviction. The failure to engage in further due diligence in the face of red flags is not, in Judge Posner’s view, sufficient. Instead, there must be some “active avoidance” of learning the facts that the red flags suggest may be probable.  Another example of active avoidance given in the opinion involves a hypothetical situation where a landlord, fearing he has rented his property to drug dealers, changes his normal commuting route to avoid driving by the house, fearing he might see drug activity if he did.  The “active” in the “avoidance” here is changing the route.

A fuller and more serious discussion of United States v. Macias, written by my colleague Mark Srere and me, can be found here.

[Apologies to James Thurber.]

Permalink Comments (1)

Bookmark and Share



Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons


Posted by at 9:16 pm on June 16, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAfter the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updater overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink Comments Off on BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons

Bookmark and Share