Archive for the ‘BIS’ Category



BIS Imposes Controls on High-Tech Cloaking Material

Posted by at 7:57 pm on November 19, 2015
Category: BIS

XBS Epoxy System Demo via [Fair Use]On Monday, BIS announced in an “interim final” rule (a top contender for the best oxymoronic regulatory phrase ever) imposing export controls on Harry Potter’s invisibility cloak as well as on tarnhelms, the predecessor technology to the invisibility cloak.   Actually, the control, which was effective immediately upon publication, was placed on a high-tech equivalent of those two items, namely, XBS epoxy systems.

The website of Space Photonics, which is the apparent developer of this technology, explains the technology.  According to that website, XBS epoxy systems are

proven effective in obfuscation of critical technology components against X-Ray and Terahertz Microscopy imaging attempts … developed to conceal critical components from adversaries.

The picture on the left is a visual demonstration of the technology.

One interesting issue of an immediately effective “interim final” rule is a simple commercial issue. Suppose one of the systems was in transit on the date of publication. If it crossed the U.S. border after the rule was published, did the exporter violate the law? The rule has no grandfathering or savings provision, so the apparent answer would be that the exporter did violate the law and could be subject to civil penalties. It seems doubtful that BIS would fine someone in that situation, but it’s hard to see why the immediately effective rule did not address this issue rather than throw any such exporters on the presumed mercy of BIS.

Because it is an “interim not-yet-final but almost and pretty much but not quite final rule,” BIS will permit comments on the rule until January 15, 2016, after which BIS will presumably issue the “final and we really mean final this time final” rule.

Permalink Comments (0)

Bookmark and Share



I’m from the Government and I’m Here to Fine You (Twice)

Posted by at 12:25 am on November 6, 2015
Category: BISSDN List

PPI via [Fair Use]

Back in August, we detailed the sad story of Production Products,  a small family-run business in Maryland that sent OFAC into a tizzy and received a $78,5000 fine because, heaven forfend, the company had never heard of the SDN list and sent HVAC duct manufacturing worth $500,000 to an SDN in China, which equipment is now probably being used to make bombs and missiles and stuff. We took the occasion to suggest that, rather than pitch a fit, OFAC should engage in a bit of reflection and wonder why a small mom-and-pop company in Maryland might never have heard of its SDN list.

Well, Production Products’s woes were scarcely over because BIS, equally annoyed that Production Products doesn’t have someone read the Federal Register cover-to-cover every day, has decided it ought to pile on with its own $50,000 fine for the same violation, as well punishing the company with a year in detention or the equivalent, namely requiring three officials to attend export school and report back to BIS Special Agents with “attendance certificates.”

BIS gets to attend this punching party as a result of section 744.8 of the Export Administration Regulations which makes it a violation of the EAR to deal with any SDN that is listed “with the bracketed suffix [NPWMD].” And that was the case here. The Chinese company on the list has the “bracketed suffix [NPWMD]” which means (for those of you who don’t speak the Low Middle Inflected Dialect of the Exportish language) that they were put on the list for reasons having to do with their involvement in nuclear proliferation and/or weapons of mass destruction.

Like OFAC, BIS was miffed that Precision Products had never heard of the SDN and, as a result, imposed a fine and the requirement that the miscreants take course at Export School and bring back proof of attendance. But, also as was the case with OFAC, this was less an opportunity for BIS to get lathered up than it was an opportunity for self-reflection. What has BIS done to make sure that small businesses know about its arcane and complex regulations?


Permalink Comments (3)

Bookmark and Share



Free Food and Drink

Posted by at 11:56 pm on October 29, 2015
Category: BIS

Update 2015

If you are attending BIS Update 2015 and would like to get together for some free food and drink, please drop me an email at I have some invitations for a reception being held at Bryan Cave on the evening of November 3 which I can send to you. I’ll be there but, more importantly, so will be things to eat and drink.

Permalink Comments (1)

Bookmark and Share



Beijing’s Review of U.S. Software Risks Export Woes for Those Who Allow It

Posted by at 10:43 pm on October 19, 2015
Category: BISChinaEncryption

140515-D-VO565-003 by Chief of Joint Chiefs of Staff via Flickr [Public Domain - Work of U.S. Government]

An article that appeared last Friday in the Wall Street Journal suggests that at least one U.S. company is providing the Chinese government with access to proprietary U.S. source code as a condition for access to the Chinese market. What could possibly go wrong with that??

Just as a burglar, who normally suspects everyone else of having his own larcenous motives, puts extra bars on his own doors and windows, the Chinese seem to be worried that U.S. software might have backdoors that allow the U.S. to hack into Chinese systems. Imagine that.

IBM has begun allowing officials from China’s Ministry of Industry and Information Technology to examine proprietary source code—the secret sauce behind its software—in a controlled space without the ability to remove it from the room, the people said. It wasn’t clear which products IBM was allowing reviews of or how much time ministry officials can spend looking at the code. The people said the practice was new and implemented recently.

The Wall Street Journal suggests that this access, which is designed to quell Chinese fears that the U.S. will do unto China what China has done unto the U.S., is largely symbolic because the Chinese are not being given sufficient time to comb through thousands of line of code looking for back doors.

The problem here, however, is that most software programs these days, particularly ones that might have “back door” entry concerns, will have encryption; and the EAR poses special restrictions on exporting certain types of encryption source code to certain government end-users. Encryption source code that is classified as ECCN 5D002 (i.e., is not mass market) and is not publicly available is classified under section 740.17(b)(2)(i)(B) of license exception ENC. Under paragraphs (1) and (2) of the Note to 740.17(b)(2), such encryption source code can, after a classification request, be immediately exported under license exception ENC to any end-user (including a government end-user) in a Supplement 3 country and to non-government end-users in countries, such as China, which are not a Supplement 3 country. However, exports of 5D002 encryption source code that is not publicly available, i.e., that is not available by download or otherwise to members of the public, can only be exported to a government end-user outside Supplement 3, such as the Chinese government, with a license from the Bureau of Industry and Security.  (A very good chart explaining the baroque complexities of  license exception ENC  can be found here.)

Now, here’s the catch. Most encryption algorithms are publicly available, but the code used by specific software to implement that algorithm is not. Indeed, if that code were publicly available, the Chinese wouldn’t need to review it, and the reviewing company would not insist that the code be examined in a “controlled space.” Indeed, you have to imagine that it is precisely the non-public code implementing the public algorithm which would be of most interest to Chinese reviewers concerned about U.S. software having back doors for Uncle Sam to come snooping.

Let me be clear: I’m not saying that IBM has broken any laws here. We don’t know whether the software being examined is 5D002 software or, if it is, that IBM hasn’t applied for and received a license. Rather my point is this: companies that consider giving source code access to the Chinese should only move ahead with a great deal of caution if the software utilizes encryption.

Permalink Comments Off on Beijing’s Review of U.S. Software Risks Export Woes for Those Who Allow It

Bookmark and Share



Voluntary Disclosure Serves as Chum for Derivative Suit Plaintiffs’ Lawyers

Posted by at 9:50 pm on September 28, 2015
Category: BISIran SanctionsOFAC

Shark by Jeff Kubina [CC-BY-SA-2.0 (], via Flickr [cropped]

An unfortunate issue for publicly traded companies that file voluntary disclosures is what seems to be an increasing trend: plaintiffs’ lawyers specializing in derivative shareholder suits circling the company looking for a kill. This seems to be particularly true if there is a whiff of Iran in the voluntary disclosure, something that attracts plaintiffs’ lawyers like buckets of chum in the water, the lawyers well knowing that once they can ominously whisper Iran in front of jury, their contingent fee award and that new Ferrari are a done deal.

Here’s a particularly instructive example of a plaintiffs’ firm called Harwood Feffer LLP trolling for plaintiffs in a press release on PR Newswire on the heels of a company’s voluntary disclosure to OFAC and BIS:

Harwood Feffer LLP … is investigating potential claims against the board of directors of VASCO Data Security International, Inc. … concerning whether the board has breached its fiduciary duties to shareholders.

On July 21, 2015, VASCO disclosed that certain of its products may have been illegally sold to parties in Iran subject to economic sanctions. The Company has notified the U.S. Department of the Treasury, Office of Foreign Assets Control and the U.S. Department of Commerce, Bureau of Industry and Security and will report to them the full extent of the violations once an internal review has been completed.

If you own VASCO shares and wish to discuss this matter with us, or have any questions concerning your rights and interests with regard to this matter, please contact [us].

Oh dear. That sounds grim. The company’s products sold “to parties in Iran subject to economic sanctions.” Somebody better get out their checkbooks so that Mr. Harwood and Mr. Feffer can make the down payment on that Ferrari. (Nevermind, of course, the misunderstanding of U.S. sanctions evinced by “sold to parties in Iran subject to economic sanctions” . . . as if there were parties in Iran not subject to sanctions.)

But, of course, this frightening scenario cooked up by Harwood Feffer loses most, if not all, of its steam when you look at the SEC filing that prompted the Harwood Feffer “investigation.”

VASCO regularly sells products through third party distributors, resellers and integrators (collectively “Resellers”). VASCO’s standard terms and conditions of sale and template agreements that are in general use prohibit sales and exports of any VASCO products contrary to applicable laws and regulations, including United States export control and economic sanctions laws and regulations. VASCO, however, does not always have visibility over its Reseller’s ultimate customers.

VASCO management has recently become aware that certain of its products which were sold by a VASCO European subsidiary to a third-party distributor may have been resold by the distributor to parties in Iran … .

The Audit Committee of the Company’s Board of Direc.tors has initiated an internal investigation to review this matter with the assistance of outside counsel. VASCO has stopped all shipments to such distributor pending the outcome of the investigation which will include a review and recommendations to improve, if necessary, VASCO’s applicable compliance procedures regarding these matters. As a precautionary matter, concurrent initial notices of voluntary disclosure were submitted on June 25, 2015 with each of the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”), and the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”). The Company will file a further report with each of OFAC and BIS after completing its review and fully intends to cooperate with both agencies.

Regular readers of this blog will, no doubt, find risible claims that the actions by VASCO management described above are a breach of fiduciary duty. The products were not sold by VASCO but by a distributor under a contractual obligation not to resell the products to Iran. VASCO, once it learned of the sales, halted all sales to the distributor, commenced an internal investigation, and filed precautionary initial notifications with BIS and OFAC. In other words, they followed what appear to have been best practices in such a situation. And now, they have to deal with the likes of Messrs. Harwood and Feffer.

There are two lessons here. First, the potential discovery requests from plaintiff’s lawyers in search of contingent fee awards mean that companies must be particularly careful to assure that the internal investigation is covered, to the extent possible, by attorney-client privilege. Second, I think publicly traded companies will begin to re-evaluate filing precautionary initial notices of voluntary disclosure with respect to sales made, without the company’s knowledge or consent, to embargoed countries. Rather, I think we’ll see companies decide to conduct a robust internal investigation and then file an initial notification only if that investigation turns up evidence that the company or its employees knew of, or consented to, the sales in question.

Permalink Comments Off on Voluntary Disclosure Serves as Chum for Derivative Suit Plaintiffs’ Lawyers

Bookmark and Share