Archive for the ‘BIS’ Category


Nov

11

EU Moves Ahead on Intrusion Software; BIS Holds Back


Posted by at 7:57 pm on November 11, 2014
Category: BISCCLEUSurreptitious Listening Devices

By Sébastien Bertrand (http://www.flickr.com/photos/tiseb/4592786358/) [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0) or CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3AEuropean_Commission_flags.jpgOn October 22, the European Commission amended its List of Dual Use Items to include controls on “intrusion software” which the Wassenaar Plenary adopted in December 2013 and which we reported here. The new list, and the export controls on intrusion software, will go into effect after 60 days from October 22 unless the E.U. Council or Parliament interpose objections.

That, of course, raises the question about where the United States is on adopting these controls. Initially spokespersons for the Bureau of Industry and Security indicated that the rules on intrusion detection hardware and software would be out in September. Well, September and October have both come and gone and there is no sign of new rules on this issue.

Of course, at least part of what Wassenaar defined as intrusion software is already controlled in the United States under ECCN 5D980, which was adopted in December 2007 and which controls surreptitious listening software. But 5D980 does not control, as the new controls on intrusion detection software would, software performing “the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.” The scope of the definition of intrusion software is undeniably broad and susceptible of covering some unobjectionable types of software, so it seems clear the BIS must be struggling with how to handle the breadth of the definition and limited unintended consequences.

Permalink Comments Off

Bookmark and Share



Nov

5

Ya Get What Ya Pay For


Posted by at 11:18 pm on November 5, 2014
Category: BIS

Happy 50th by Cochise College via Cochise College official Instagram account http://instagram.com/p/tTViN5IHPh/ [Fair Use]Let’s see. I have an export question that’s troubling me. So what should I do? I know. Let’s write the local newspaper and ask them! What could possibly go wrong?

Dear M & M: I am interested in exporting a product overseas. This product does not require an export license. I am not sure who the end user will be as they are selling to a third party. Is there something I need to do to make sure I am in compliance with regulations?

— Randy

The “answer” comes from Mark Schmitt, director of the Small Business Development Center at Cochise College; and Mignonne Hollis, executive director at the Sierra Vista Economic Development Foundation. (Please, no Mork and Mindy jokes.) Mark and Mignonne do not even stop for a moment to wonder how Randy, who appears to know almost nothing about exporting, is so certain his item does not require an export license and respond:

Dear Randy: If your item falls under the jurisdiction of the U.S. Department of Commerce and is not listed on the Commercial Control Lists, and it does not require an export license it is designated as EAR99.

Generally the majority of commercial products are designated EAR99 and generally will not require a special license to be exported or imported into this country and later re-exported.

Leaving aside the “Commercial Control Lists” gaffe, the first sentence makes almost no sense to me, and one can imagine what sense it makes to Randy. How is Randy supposed to figure out whether his item “falls under the jurisdiction of the” Commerce Department? And if I have an ECCN that doesn’t require a license to a particular jurisdiction does that make my item EAR99? But forget about all that: most products, they say, are EAR99, so Mark and Mignonne are certain that Randy’s item must be as well. Good thing they didn’t print Randy’s last name.

However, if you plan to export an EAR99 item to an embargoed or sanctioned country, to a party of concern, or in support of a prohibited end-use, you may be required to obtain a license. The Bureau of Industry and Security (BIS) have what they call advisory opinions relating to what they call red flags when exporting to another country. The following link has general topics one should check out if you suspect something is wrong http://www.bis.doc.gov/index.php/policy-guidance/advisory-opinions.

If Mark and Mignonne were teetering off balance in the first two paragraphs, they have gone completely off the rails here. Who knew that the advisory opinions talked about red flags or would help Randy realize that not knowing the end customer might get him in hot water without further investigation and/or contractual undertakings by the intermediate consignee?

Not knowing the end user especially if your product can be refitted to serve another purpose or knowingly suspect a third party reselling your items to a country that the U.S. has sanctioned can get you into trouble.

Of course, not knowing the end user can be a problem whether or not your product can be refitted. And if you know that your intermediate consignee is selling to a sanctioned country, knowing your end user is not going to help at all.

Finally, Mark and Mignonne  say to Randy what they should have said from the outset, indeed, what should have been the only thing they said to Randy

The Export Counselling Division of the Office of Exporter Services can be reached at any of the numbers below …

Next week Mark and Mignonne attempt to explain to a confused reader why string theory is a possible explanation for the commutation rules of quantum mechanics. Stay tuned.

Permalink Comments (1)

Bookmark and Share



Oct

20

Did Ron Jeremy Save This Export Defendant From Jail?


Posted by at 6:31 pm on October 20, 2014
Category: BISCriminal PenaltiesIran Sanctions

Touraj Ghavidel and Ron Jeremy via Ghavidel's Twitter Feed https://twitter.com/MrTouraj [Fair Use]
ABOVE: Touraj Ghavidel and Ron
Jeremy


The Bureau of Industry and Security just released settlement documents resolving allegations that Borna Faizy, Touraj Ghavidel and Signal Microsystems, Inc., illegally exported computer equipment from the United States to Iran. According to the BIS charges, Faizy, Ghavidel and Signal Microsystems transshipped the items through Dubai (where else?), used coded language in emails with Iranian customers to hide their customer’s identities and locations, and falsely stated on their Electronic Export Information filings that the ultimate end users were in Dubai. As a result, over at least 2 years, more than $1 million in computer equipment was shipped by the three to Iran. Under the settlement agreement, no fine is being imposed; rather the three exporters have agreed to a ten-year denial order.

The settlement agreement comes on the heels of a plea agreement entered by Faizy and Ghavidel where they plead to making false statements to federal agents in violation of 18 U.S.C. § 1001. Under the plea, the government and the defendants agree that a fine and one year probation would be an adequate sentence. The basis for the charge under 18 U.S.C. § 1001 is that Faizy and Ghavidel, when questioned by federal investigators, swore up and down that they were absolutely not doing any business with Iran and would never ever even think of doing so, cross their hearts and hope to, etc., etc.

It is hard to tell why such a favorable plea deal was reached here. The false EEIs and the coded emails certainly suggest that the defendants knew that they were breaking the law. And they also managed to ship a boat load, almost literally, of computers to Iran. All I can figure is that the prosecutors saw the picture of Ghavidel with Ron Jeremy, which Ghavidel put on his own Twitter feed, and decided that Ghavidel was too cool to go to jail.

Permalink Comments (2)

Bookmark and Share



Oct

13

It’s Déjà Vu All Over Again All Over Again


Posted by at 11:50 am on October 13, 2014
Category: Anti-BoycottBIS

McWane Pipes via http://www.mcwanepipe.com/upl/images/homepage/51269ef106307116cac-a9f28ef2.jpg [Fair Use]The best job at the Bureau of Industry and Security is, without question, working at the Office of Antiboycott Compliance (“OAC”) because all their cases are pretty much the exact same thing, leaving plenty of time to finish the daily crossword puzzle and read the sports pages. If you don’t believe me that they are all the same, just look at the latest enforcement action from OAC against McWane International, an Alabama company that manufacturers water pipes. McWane agreed to a $7,000 fine for providing a certificate that a ship was “allowed by Arab authorities to call at Arabian ports” and failing to report documentary requirements in a letter of credit for a certificate from the “owner, carrier or captain of the vessel or their agent” that the ship could call in Arab ports.

Regular readers of this blog, which obviously did not include anyone at McWane, will immediately see the problems with these certifications. Under BIS rules such certifications can only be made by the “owner, charterer, or master” of the ship. It can’t be made by McWane (which was none of the above) or by an “agent” of the “owner, charterer, or master.” We’ve talked about this identical issue at length here and here.

Fortunately the fine is only $7,000, well below an amount that might lead anyone to challenge the dubious statutory authority of the Office of Antiboycott Compliance to even exist. Disagreements over the antiboycott provisions in the Export Administration Act were one of the reasons that the act lapsed. Whether in that context the existence of the Arab boycott is a national emergency authorizing the President to extend the antiboycott provisions under the International Economic Emergency Powers Act (“IEEPA”) is highly questionable.

Permalink Comments (3)

Bookmark and Share



Oct

8

Intel Sub Fined for Encryption Exports


Posted by at 9:14 pm on October 8, 2014
Category: BISEncryption

Wind River Convention Booth via https://twitter.com/WindRiver/media [Fair Use]The Bureau of Industry and Security (“BIS”) announced today that it had convinced Wind River, an Intel subsidiary, to pay a whopping $750,000 to settle charges that it exported products with encryption functionality without required licenses. There were also four unlicensed exports of the items to parties on the BIS Entity List.  This is the first announced fine (at least to my knowledge) involving encryption exports, and it has created a bit of a stir among those of us who handle encryption export matters.

Basically the encryption rules try to prevent the export of technology that every twelve-year-old in Estonia already has. Door to empty barn, meet escaping horses; escaping horses, meet door to empty barn. It is a not-so-well-kept secret that the encryption rules are not really there to protect sensitive U.S. technology but as a means to permit the NSA to see who is using what encryption where in order to better snoop on everyone using encryption.

As usual, details are scarce in the settlement documents as to what exactly went on, with the documents simply saying that Wind River exported items classified as 5D002 to government end users in China, Hong Kong, Russia, Israel, South Africa and South Korea. A little snooping of our own showed that the items involved, mostly real time operating systems, were classified by Wind River as 5D002 “ENC restricted.” All ENC restricted items require licenses to government end users in countries other than those countries listed in Supplement 3 to Part 740 of the EAR. The countries involved in the exports at issue are not Supp. 3 countries and, hence, required a license.

The BIS press release justified the size of the fine, despite Wind River’s voluntary disclosure of the violation, because it would “serve as a reminder to companies of their responsibility to know their customers and, when using license exceptions, to ensure their customers are eligible recipients.” This suggests that Wind River’s problems may have arisen because it was dealing with entities that it did not realize were government end users.

However the BIS definition of government end users is hardly a model of clarity:

A government end-user is any foreign central, regional or local government department, agency, or other entity performing governmental functions; including governmental research institutions, governmental corporations or their separate business units (as defined in part 772 of the EAR) which are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List. …

Consider the portion of the definition that includes “governmental corporations or their separate business units (as defined in part 772 of the EAR) which are engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List.”   For starters, does the qualifier “engaged in manufacture … of items … on the Wassenaar Munitions List” qualify just “separate business units” or both “governmental corporations” and “separate business units”? And what are government corporations? Companies that have a government charter but private ownership? Companies that have a significant percentage owned by the government? Private companies given a government monopoly and that perform a traditional government function? Who knows? But if you get it wrong, expect to be fined by BIS and to be the object of a snide comment that it’s your own darn fault for not figuring out that the company was a government corporation under an essentially meaningless definition.

Permalink Comments (1)

Bookmark and Share