Archive for the ‘BIS’ Category


Jul

27

Don’t Believe Everything You Read in the Newspaper


Posted by at 11:32 am on July 27, 2015
Category: BISCriminal PenaltiesIran Sanctions

Republian Herald HQ via Google Maps [Fair Use]

From the Republican Herald (Pottsvile, PA) story on a guilty plea by Falcon Instrumentation and Machinery FZE in connection with an attempted shipment by Pennsylvania-based Hetran, Inc. of a bar peeling machine to Iran:

Federal prosecutors allege the machine, valued at more than $800,000 and weighing more than 50,000 pounds, has both military and civilian uses, which meant Hetran could not ship it to Iran without obtaining a license from the U.S. government. The machine is used in the production of high-grade steel, which is used in making automobiles and aircraft parts, according to prosecutors.

As astute readers of this blog will no doubt already know, U.S. companies like Hetran can’t ship anything at all (including EAR99 items) to Iran without a license or an applicable exception. But before we jump down the throat of a poor reporter in Pottsville, let’s think about what likely happened. In doing that, realize first that local reporters like DOJ press releases more than cats love catnip. Just rewrite it a little and push send and the day’s work is done.

And, indeed, as suspected there is a DoJ press release and it says this:

Under U.S. law and regulations, American companies are forbidden to ship “dual use” items (items with civilian as well as military or proliferation applications), such as the peeler, to Iran without first obtaining a license from the U.S. Government.

Sigh. I realize the export law and economic sanctions are a somewhat complicated area of law, but it does not seem unreasonable to suggest that the government employees who are charged with sending people to jail for export violations at least make an effort to understand the laws that they enforce.

[Note: I’m on vacation this week, so this is the last post for this week; normal posting resumes next week.]

Permalink Comments (0)

Bookmark and Share



Jul

23

BIS Amends EAR to Remove Cuba as a State Sponsor of Terrorism


Posted by at 3:59 am on July 23, 2015
Category: BISCuba Sanctions

Cuba Capitole by y.becart(Own work) [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/yoh_59/13697566663[cropped]On Wednesday, the Bureau of Industry and Security amended the EAR to reflect the removal of Cuba from the list of state sponsors of terrorism. Somewhat surprisingly, the impact of this removal is much less than might be imagined.

Of most importance, even though Cuba is no longer on the list of State Sponsors of Terrorism, all items exported to Cuba will still either need a license or an applicable license exception. The biggest change is that, by removing Cuba from the E:1 country group, a few license exceptions relating to countries in that group will no longer apply.

First, certain aircraft (principally private civil aircraft not operating under certain FAA carrier certificates) will be able to use License Exception AVS for temporary sojourns to Cuba. Second, certain encryption items that were excluded from being taken by travelers to Cuba in their luggage will now be covered by License Exception BAG. Third, License Exception RPL can now be used to export replacement parts to Cuba for explosive detection equipment and concealed object detectors lawfully exported to Cuba.

If the change in RPL causes you to raise your eyebrows — explosive detection equipment and concealed object detectors in Cuba?! — settle down and take a deep breath. This is just CCL-ese for the stuff they use in airports to screen you and your luggage before you get on the plane. Nobody wants the real terrorists to target planes flying from Cuba, particularly now that they will have more Americans on them.

Permalink Comments (0)

Bookmark and Share



Jun

19

The Ostriches and the Kookaburra: A Fable for Our Time


Posted by at 8:38 am on June 19, 2015
Category: BISCriminal Penalties

Ostrich, Wainstalls by James Preston [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/jamespreston/8485895143[cropped]

Two austere ostriches, Osgood and Osbad, who lived near an old gum tree somewhere in the Australian outback, ran a successful business buying cattle prods made by Cow Poke, Inc., located in Kankakee, Illinois, and selling them to cattle farmers in Australia. One day they received an order from the kookaburra who lived in their old gum tree for one of their cattle prods. He even offered cash in advance and said that he would have many other orders in the future.

Osgood looked quizically at the kookaburra and wondered why a kookaburra might need a cattle prod, but decided not to ask. As it was an unusually warm afternoon, he decided to cool off by burying his head in the sand.

Osbad, dreaming of future orders and hoping to buy a bus trip to Perth for a holiday weekend, asked the kookaburra to hand over the money and promised to bring him a cattle prod right after he paid the money, which he did.

“Don’t you wonder,” said the kookaburra, “what on earth I could possibly do with a cattle prod?”

“No!” said Osbad, “I DO NOT!! It’s quite hot and I think I’ll join my mate Osgood and cool off by burying my head in the sand.”

“Actually,” said the kookaburra, “I’m selling them to my customers in Iran,” but by the time he had said the word “Iran,” Osbad’s head was completely covered with sand and he couldn’t hear a word that the kookaburra was saying.

When the Cow Poke Cattle Prods were discovered in Iran, investigators for the Bureau of Industry and Security (“BIS”) traced them back to Osgood and Osbad. The Australians served a provisional arrest warrant on the two ostriches who were subsequently extradited to the United States for trial. Once the jurors heard that Osgood and Osbad buried their heads in the sand, it was all over for poor birds, and they were convicted and sentenced to 6 years in a maximum security prison.

On appeal to the Seventh Circuit, Judge Posner upheld the conviction of Osbad and reversed the conviction of Osgood. He noted

There is no evidence that suspecting he might be [helping the kookaburra sell cattle prods to Iran, Osgood] took active steps to avoid having his suspicions confirmed. Suppose [the kookaburra] had said to him “let me tell you [where the cattle prods are really going],” and he had replied: “I don’t want to know.” That would be ostrich behavior (mythical ostrich behavior—ostriches do not bury their heads in the sand when frightened; if they did, they would asphyxiate themselves). An ostrich instruction should not be given unless there is evidence that the defendant engaged in behavior that could reasonably be interpreted as having been intended to shield him from confirmation of his suspicion that he was involved in criminal activity. [This is exactly what Osbad did, which is why we reverse for Osgood and uphold the conviction for Osbad.]

Osbad remained in maximum security prison, while Osgood was allowed to return to the outback in Australia. On his return, Osgood found a letter from BIS indicating that it had entered a thirty-year export denial order and fined him $250,000 for the sale of the cattle prods to Iran, noting that while ignoring red flags, without more, might save you from jail, it would not save you from the wrath of BIS.

Morale: If you’re going to bury your head in the sand, do it before the kookaburra sings.

The Seventh Circuit opinion in United States v. Macias, which I adapted here, makes clear that simply ignoring red flags is not enough to support the criminal intent necessary for  a conviction. The failure to engage in further due diligence in the face of red flags is not, in Judge Posner’s view, sufficient. Instead, there must be some “active avoidance” of learning the facts that the red flags suggest may be probable.  Another example of active avoidance given in the opinion involves a hypothetical situation where a landlord, fearing he has rented his property to drug dealers, changes his normal commuting route to avoid driving by the house, fearing he might see drug activity if he did.  The “active” in the “avoidance” here is changing the route.

A fuller and more serious discussion of United States v. Macias, written by my colleague Mark Srere and me, can be found here.

[Apologies to James Thurber.]

Permalink Comments (1)

Bookmark and Share



Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons


Posted by at 9:16 pm on June 16, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAfter the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updater overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink Comments Off on BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons

Bookmark and Share



Jun

10

The District of Columbia? Is That Somewhere in South America?


Posted by at 11:59 pm on June 10, 2015
Category: BIS

African American Civil War Memorial Metro Stop by Clif Burns via Flickr https://www.flickr.com/photos/clif_burns/12398814043/ [with permission]Those of us who live in the District of Columbia are used to, if not content with, the routine indignities imposed on us as residents of that tiny square of reclaimed swamp land sandwiched in between Virginia and Maryland.   Like convicted felons, we can’t vote for anyone in Congress.  Like third-world dictatorships, any laws enacted by our city council cannot go into effect unless approved by our unelected overlords in Congress.  When trying to book a hotel or buy a gadget over the Internet, we find we can’t fill out the order form because the District of Columbia, which is not a state, is not listed in the drop-down list of states.   When traveling, we can be denied boarding flights because some TSA agent decided that a D.C. drivers license isn’t a state-issued ID.

So kudos to the Bureau of Industry and Security (“BIS”) for, at last, recognizing that the District of Columbia exists, as it finally did in the recently proposed amendment to the definitions in the Export Administration Regulations.  Currently, section 734.2(b)(8) of the EAR says this:

Export or reexport of items subject to the EAR does not include shipments among any of the states of the United States, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States. These destinations are listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census

Take a look at Schedule C which defines those territories, dependencies and possessions of the United States that are not exports, and you will see Puerto Rico, the Virgin Islands, Guam, American Samoa, Northern Mariana Islands, and the United States Minor Outlying Islands. Conspicuously missing from the list is the District of Columbia.

The proposed amendments add a new section 734.18(a)(3) which says this:

Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the
Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

Now that may be good news for us in the District of Columbia, but it’s bad news for anyone who has ever shipped an item on the Commerce Control List, such as a cattle prod, into the District of Columbia in the past five years. Anyone who did that has violated U.S. export laws because the District of Columbia is not a state and it’s not listed in Schedule C. It’s a foreign destination under current rules. You could go to jail. You could be fined $250,000 for each such export by BIS. You could have your export privileges denied. So, folks, get those voluntary disclosures in before you find a team of ICE agents in your offices carting off all your computers and interrogating all your employees.

Permalink Comments (1)

Bookmark and Share