Archive for the ‘BIS’ Category



Fun BIS Fact: Companies May Actually Know What They Don’t Know

Posted by Clif Burns at 3:41 pm on January 28, 2014
Category: BISCriminal Penalties

Amplifier Research HQ Street View from Google [By Permission]
ABOVE: Amplifier Research HQ

There seems to be a recent plague of rogue export control managers with a penchant for forging licenses, making up authorizations, fudging exemptions and exceptions and engaging in other nefarious practices in order to avoid having to do any actual work while on the job they are being paid for. First it was LeAnne Lesmeister who specialized in photoshopping fake export licenses. Now we have Timothy Gormley at Amplifier Research Corporation who among other things falsified paperwork to conceal correct export classifications, listed fake license numbers on export documentation, authorized exports before license applications were granted and lied to other employees at the company about the existence of required export licenses.

The BIS settlement documents assert that Amplifier Research never conducted any compliance audits during the time that Gormley was running the export show. BIS imposed a $500,000 suspended fine on Amplifier Research to settle the violations and required the company to conduct a complete export compliance audit. A federal judge awarded Gormley a 42-month vacation in a federal correctional facility.

This all seems pretty routine until you get to the last count against the Company in which BIS charges Amplifier Research with “acting with knowledge” of the illegal exports at issue. The Export Administration Regulations define knowledge as follows:

Knowledge of a circumstance (the term may be a variant, such as “know,” “reason to know,” or “reason to believe”) includes not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person’s willful avoidance of facts.

Neither this definition of knowledge, nor section 764.2 of the EAR, addresses when a company knows something. Additionally, neither addresses the issue as to whether the knowledge of each and every employee can be imputed to the company for purposes of “acting with knowledge” violations under section 764.2. Certainly, Gormley can be said to have acted with knowledge, but should the company also be said to have acted with knowledge unless senior management had “knowledge” as defined above of Gormley’s actions? Certainly those standards of knowledge would not be met simply because the company failed to conduct a compliance audit on Gormley and the export program. Rather, it seems to me, there would need to some red flags that senior management ignored and there is no evidence or assertion by BIS that there were any such ignored red flags.

Permalink Comments (5)

Bookmark and Share



Export Reform Brings More Red Tape for Exporters

Posted by Clif Burns at 6:16 pm on January 14, 2014
Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons I have good news and bad news. Let’s take the bad news first. Starting on January 21, new rules of the Bureau of Industry and Security (“BIS”) with respect to exports to persons on the mysterious “Unverified List” will require more red tape, including extra license requirements and more paperwork. Now for the bad news. On January 21, everyone on the current Unverified List will be removed from the list. But, don’t get all excited there: BIS starts planning to add people back to the list and will announce the changes in the Federal Register so you’ll be sure to know who’s on the new Unverified List. (You read the Federal Register every day like a good exporter, don’t you?)

Prior to the adoption of the new rules, the presence of a party on the Unverified List meant that BIS had some difficulty with respect to an end-user check for that party and that you, as an exporter, were supposed to treat the presence of that party on the list as a red flag. When the rule goes into effect on January 21, you will need to file an AES statement for every export to a party on the list without regard to whether a license was required or the value of the shipment. (And for those of you who rely on your freight forwarder to file your AES entries, this is going to be fun.) Second, no license exceptions will apply for shipments that require licenses. Third, you’re going to need to get the Unverified party to sign an “Unverified List Statement” for all transactions that don’t require a license. The new rules don’t provide a form for the Unverified List Statement t but just a laundry list of things that you must include in the Statement, including a promise by the Unverified Party to be very, very good and not violate anything in the Export Administration Regulations. Good luck with that, as the kids say.

Permalink Comments Off

Bookmark and Share



Be Careful What You Post on Facebook

Posted by Clif Burns at 6:58 pm on January 9, 2014
Category: BISIran Sanctions

Pouya Airlines IL 76 at Antalya Airport via [Fair Use]We’ve all heard the story of exuberant youngsters who find their career hopes dashed because they posted on Facebook pictures of themselves half-clothed and glassy-eyed with a margarita in one hand and a bong in the other. It’s a cautionary tale, for sure, and has certainly meant that many people have realized that they perhaps should confine pictures of their latest bacchanalian orgy to a more discrete mode of distribution among friends than Facebook. If you wouldn’t send it to your grandmother, don’t post it on your Facebook page, right?

So, you’re wondering, what does this have to do with export law? Well, believe it or not, it relates to a possible explanation of a recent temporary denial order issued by the Bureau of Industry and Security (“BIS”) on January 3 against 3K Aviation and others related to the planned export on January 7 of U.S.-origin aircraft engines by 3K from Turkey to Iran via the Iranian cargo carrier Pouya Airline. Many people have expressed surprise that a TDO would be issued that forbade all export related activity by 3K rather than an order forbidding the export of the engines at issue given that the order was issued before the export at issue had even taken place. Typically, as in the Mahan Air case, the TDO is issued after the forbidden export has occurred and prohibits all export-related activity during the effective period of the TDO.

On 3K’s Facebook page, you can (still) find a photo gallery titled “IL 76 Engine Loading” and dated December 27. 2012, long before the TDO. The IL 76 is the Ilyushin cargo aircraft operated by Pouya Airlines. Here is a screen capture of the Facebook page showing the Pouya IL 76 sitting at the Antalya Airport in Turkey. And here is a screen capture from the page of the happy pilots in the IL 76 about to carry their engines back to Iran. (You can easily find images of the IL 76 cockpit on-line if you want to verify that this is an IL 76 cockpit.) In other words, the planned January 7 shipment of U.S aircraft engines to Iran was possibly not the first time that 3K had exported U.S. items to Iran.

For its part, 3K is saying that it’s now planning to ship the engines back to the seller in Germany. Of course, under the denial order they can’t export the engines back to Germany without BIS authorization. And here’s a Catch-22: under the TDO they can’t even store the engines without violating the order.  Whatever 3K does, it will violate the order.

Permalink Comments Off

Bookmark and Share



Name That Country!

Posted by Clif Burns at 6:31 pm on December 18, 2013
Category: BISDoJSanctionsSyria

Dell HQ [Fair Use]The Securities and Exchange Commission just released on Monday, according to this article, correspondence that it had with Dell regarding an on-going  investigation by Dell, the DOJ, and the Bureau of Industry and Security (“BIS”) regarding sales of Dell computers to Syria.  These sales were made by a Dell distributor based in the U.A.E. In that correspondence, Dell indicated that it was conducting an internal investigation with outside counsel into sales by one of its Dubai-based distributors, was regularly communicating with the U.S. Attorney regarding that investigation, and had responded to a BIS subpoena requesting information about the sales in question. The company said that the investigation was not yet complete so that the company could not yet respond to the SEC’s questions as to whether Dell had any liability under U.S. export and sanctions law arising from the distributor’s sales to Syria.

The company, however, did try to suggest that it might not be liable because of a clause it cited in its distribution agreement:

Distributor acknowledges that Products licensed or sold hereunder or in respect of which services (including Dell Branded Services) are provided, which may include software, technical data and technology, are subject to the export control laws and regulations of the USA, the European Union, the Territory in which Distributor operates and the territory from which they were supplied, and that Distributor will abide by such laws and regulations. Distributor confirms that it will not export, re-export or trans-ship the Products, directly or indirectly, … to … any countries that are subject to the USA’s or those other relevant territories’ export restrictions or any national thereof … .

To paraphrase someone else, I guess you go to war with the language you have — that is to say, this language is hardly ideal. It relies on the distributor to know what countries are subject to U.S. export restrictions. Do you really think that a distributor in the U.A.E. is aware of the details of U.S. sanctions programs or even which countries are on the current U.S. bad country list? Probably not.

I certainly do not mean to imply that Dell has criminal or civil liability because of this drafting issue. Rather, my point only is that companies should be explicit in these clauses about which countries are subject to sanctions and to affirmatively advise distributors in writing when those countries change. Don’t count on your distributor to know who the U.S. has sanctioned anymore than you would count on him to know the name of last year’s winner of American Idol.

Permalink Comments (2)

Bookmark and Share



More Details Emerge on Multilateral Export Controls on Cybersecurity Items

Posted by Clif Burns at 8:11 pm on December 10, 2013
Category: BISCyber WeaponsWassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the Wassenaar Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink Comments (1)

Bookmark and Share