Archive for the ‘BIS’ Category



Don’t Believe Everything You Read in Blogs

Posted by at 5:54 pm on July 11, 2017
Category: BISDDTC

Road Warrior at LAX by Clif BurnsA lawyer, without any apparent background in export law, recently decided to write a post on export law for “In House,” which bills itself as the “FindLaw Corporate Counsel Blog.” The purpose of the post, it would seem, is to frighten people traveling internationally with their laptops with the suggestion that they may well be greeted on their return trip by an arrest warrant if they don’t have an export license for their laptop. No, really, he actually says that

Traveling abroad? Don’t forget your passport, your laptop, and your export license.

Wh-what export license? Oh, maybe your company attorney didn’t tell you that your laptop requires an export license.

That’s right, the United States requires a license for certain technology and software going abroad.

What the FindLaw post, in order to maximize clickbait value, never reveals is that while technically true that some laptop exports require an export license due to software or technology on that laptop, there are broad license exceptions which mean that, as a practical matter, such licenses are almost never required. That’s what License Exceptions TMP and BAG and the exemption in section 125.4(b)(9) of the ITAR are for. These are, oddly enough, never even mentioned in the FindLaw blog post.

I discussed these provisions permitting laptops to be exported without a license recently in a post about whether a requirement to check laptops in the cabin hold might mean that these provisions would no longer apply. As explained there, section 125.4(b)(9) and license exception BAG permit export of laptops (and any software or technology on them) accompanying passengers and for their personal use as long as the laptop is password protected. License exception TMP requires that the laptop remain in the effective control of the traveler. (The difference between BAG and TMP is that BAG applies to laptops owned by the traveler and TMP applies to company laptops taken on a business trip).

So, no, if you password protect that laptop and keep it with you on your travels, you’re not going to need a license just to take the laptop with you. (If you intend to transfer the laptop or give the technology or software to someone else in the foreign country, these exceptions won’t apply.)

This all goes to show that, with perhaps one exception, don’t believe everything you read on a blog!

Photo Credit: Road Warrior at LAX by Clif Burns. Copyright 2015 Clif Burns

Permalink Comments (1)

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



A Boycott Is A Boycott Is A Boycott

Posted by at 6:06 pm on July 6, 2017
Category: Anti-BoycottBIS

Port of Fujairah by Port of Fujairah via [Fair Use]
ABOVE:Port of Fujairah

As you probably know, various Arab countries, including Saudi Arabia, the U.A.E. and Egypt have imposed a boycott on Qatar, allegedly because of remarks that appeared on the Qatar News Agency’s website where Qatar emir Sheikh Tamim bin Hamad Al Thani called Iran an “Islamic power” and, even worse, said Qatar has “good” relations with Israel. Qatar claims that the Sheikh never said this and that the QNA website was hacked. U.S. intelligence officials have said that this was likely the work of Vladimir Putin and his band of merry hackers, who were hoping to create a rift among the United States and its Arab allies — something the hack may well have accomplished.

What you may not know is that the Port of Fujairah, in the United Arab Emirates, has just banned from the port all maritime traffic coming from or headed to Qatar. Now, how many of you immediately thought of the Bureau of Industry and Security’s Anti-Boycott rules when you (just) heard this? “Pshaw,” you say, “those rules only apply to the Arab League Boycott of Israel.” But in fact the Anti-Boycott Rules never even mention that boycott. By their terms, they apply to any “unsanctioned foreign boycott.” Even though the rules go into excruciating details on all matter of things,  the term “unsanctioned foreign boycott” on which the whole byzantine edifice is constructed, is, oddly, never defined.  Even so, you can be pretty sure that the boycott against U.S. ally Qatar is one of those “unsanctioned foreign boycotts.”

That being said, consider the following scenario. A customer in Fujairah, UAE, wants to buy from you $2 million worth of fidget spinners. The purchase order contains the following clause:

The shipping terms for the purchased goods are DDP Port of Fujairah (INCOTERMS 2010). The good may not be shipped on a Qatari-flagged vessel or on a vessel that visited, or is destined to visit, Qatar.

Can you accept the order?

The Anti-Boycott rules do provide some limited exceptions to permit compliance with shipping instructions of boycotting countries. Section 760.3(b)(1)(i) permits a U.S. person to comply with a prohibition of shipping the goods on a Qatari-flagged vessel. In addition, section 760.3(b)(2)(i) permits a U.S. person to agree not to ship the goods through Qatar. However, the exceptions only apply to requirements for “shipping goods to the boycotting country.” Any restrictions on where the ship calls after that shipment is complete and the goods are delivered to Fujairah would be a violation of the rules.

So there’s something else for you to worry about. You’re welcome.

Permalink Comments (2)

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Vladimir Wants To See Your Source Code

Posted by at 4:08 pm on June 26, 2017
Category: BISEncryption

Vladimir Putin by [CC BY 3.0 (] via [cropped]According to this Reuters report, the Russians are demanding from U.S. companies the right to view source code of software that these companies wish to sell in Russia. The software at issue includes software with encryption capabilities, anti-virus software and firewalls. You don’t have to be a rocket (or computer) scientist to figure out why Vladimir and his spy master buddies want to look at such software. They are looking for vulnerabilities that would allow the Russians to continue to hack into U.S. networks and infrastructure. Surprisingly, Reuters suggests that some big names in U.S. software are actually complying.

That’s surprising because, as many readers probably know, handing over the source code of programs with encryption functionality to the Russian government requires a license from the Bureau of Industry and Security (“BIS”). Normally, I would expect BIS, at least for the moment, to grant such a license when hell freezes over or, as Vladimir himself might say, когда рак на горе свистнет (“when crawfish whistle in the mountains.”)

Here’s why a license is necessary. First, keep in mind that BIS controls the export of software with encryption functionality. This includes software that does not contain any encryption algorithms but calls those algorithms from an external source to perform the actual encryption. Although the language of the EAR is far from making it clear, BIS makes it quite clear here on its website:

Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.

Most programs, in fact, call encryption from the operating system. Some browsers, such as Firefox, incorporate their own encryption, and programs may utilize browser encryption when sending and retrieving date from the Internet. In any event, the vast majority of software has some encryption functionality either by using the operating system or native encryption in certain browsers.

Second, source code does not fall under EAR section 740.17(b)(1) and is not eligible for self-classification and export under License Exception ENC. Rather source code that is not publicly available falls under 740.17(b)(2)(i)(B). Items that fall within (b)(2), such as source code, can be exported thirty days after the filing of a classification report to “non-‘government end users’ located or headquartered in a country not listed in supplement no. 3.” See Section 740.17(b)(2)(i). As a result, license exception ENC does not authorize exports to government end-users outside Supplement 3 countries. As Russia is not a Supplement 3 country, a license is required to provide source code with encryption functionality to the government of Russia.

I have no way of knowing whether the U.S. companies that have let Vlad peek at their source code bothered with, or even knew of the requirement for, licenses.   And although not so long ago, BIS would probably have said “nyet” to any such license request, it is altogether possible that BIS is now saying “da” instead.   In any event, companies should think long and hard before spilling their source code for software with encryption functionality to the Russkis without getting a license from BIS first.


Permalink Comments Off on Vladimir Wants To See Your Source Code

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Sales Clerk Charged with Illegal Exports Given New Trial

Posted by at 10:17 am on June 13, 2017
Category: BISCriminal Penalties

Alexander Fishenko
ABOVE: Alexander Fishenko

Almost a year ago, I commented on the fate of a lowly sales clerk, Anastasia Diatlova, in the prosecution of Alexander Fishenko, his company Arc Electronics, and employees of Arc for exports of various items to Russia without a license. Ms. Diatlova, the most junior sales clerk in the organization, had refused a plea of time served and gone to trial. This infuriated the prosecutors who took that offer off the table when a jury convicted Ms. Diatlova. Last month, however, Ms. Diatlova was granted a new trial on the export charges. The district court, in granting the new trial, held that there was insufficient evidence that Ms. Diatlova knew that it was illegal to ship the item in question.

The court described the evidence of criminal intent presented by the prosecution as follows:

(1) Diatlova received training on export controls and was aware that microelectronics, when mailed to Russia, are “generally subject to U.S. export control laws (emphasis added);” (2) the higher-ups at Arc (Fishenko, Posobilov and Abdullaev) “routinely lied and fabricated documents in order to evade export control restrictions”; (3) Diatlova filled out a “End-Use Certification/Statement of Assurance” indicating that the end user was Izhevsky Radio Plant, when the recipient was instead Atrilor, LTD, making her, at a minimum, guilty of aiding and abetting the illegal shipment of that part; and that proof exists that she was aware in April of 2012, upon arrest, that the part at issue was restricted.

The court held that allowing the jury verdict to stand “would constitute a ‘manifest injustice’ in light of the flimsiness of this evidence,” noting quite reasonably that her knowledge about the export at the time of arrest had little bearing on her knowledge as of the time of the export. Nor could the illegal intent of other employees be attributed to her. The court did not even comment on the export control training, implicitly rejecting the notion that training alone can lay the groundwork for subsequent criminal prosecution. Finally, putting the wrong end-user on the end-use certificate was seen as the court as a sufficient predicate to let Ms. Diatlova’s conviction for wire fraud stand but not as proof that she knew the export was illegal.

This highlights the difficulty confronted by prosecutors when they target people in the cubicles.  As we noted in our prior post on Ms. Diatlova, she had only an eighth-grade education and was being paid only $15 per hour.   Sadly, this appears to be another case of prosecutors who are more concerned about their conviction stats than anything else.

Permalink Comments Off on Sales Clerk Charged with Illegal Exports Given New Trial

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Maybe BIS Should Read This Blog More Often

Posted by at 6:21 pm on May 3, 2017
Category: BISEntity ListOFACRussia Sanctions

Vladimir Putin via [Fair Use]Way back in January of this year, I pointed out a problem that the Bureau of Industry and Security (“BIS”) and the Office of Foreign Assets Control  (“OFAC”) may have unwittingly created for U.S. manufacturers of encryption-enabled products, i.e., virtually anything that touches the Internet or a private network.  Both agencies had imposed sanctions on the FSB, the Kremlin spy agency formerly known as the KGB.  The problem with this otherwise laudable move is that the FSB regulates import of encryption products into Putinstan, er, Russia, and these restrictions could effectively prevent exports of U.S. encryption items into Russia.  This would happen because U.S. exporters were forbidden from filing the necessary paperwork with the FSB by virtue of its addition to OFAC’s SDN List and BIS’s Entity List.

Well, OFAC heard the howls of industry and in just after a little more than a week after the issue had come to light issued General License 1 to permit the filing with the FSB of the necessary paperwork for imports of these products.  BIS, however, slept through those howls and did nothing.   The original post on this problem had noted the difficulties posed by BIS having put FSB on the Entity List.   It was at least possible that the FSB notification and application forms could contain unpublished EAR99 technology regarding the device to be exported to Russia, in which case a BIS license would be necessary before the notification or application could be sent to the FSB.   That would be the case even after the OFAC General License authorized the notification and application forms to be sent

Rip van BIS-winkle has finally roused itself from its slumber on this issue.  On April 17, 2017, BIS amended the Entity List designation for FSB to remove the license requirement for transactions for “items subject to the EAR” that are “related to transactions that are authorized by the Department of the Treasury’s Office of Foreign Assets Control pursuant to General License No. 1 of February 2, 2017.” What do you want to bet that a number of FSB applications were filed with technology “subject to the EAR” without the required license before this amendment to the Entity List? Technology, even technology relating to an EAR99 item, is subject to the EAR unless it has already been published or has arisen during “fundamental research.” Few people would think that unpublished information about a commercial EAR99 item would require a license. Most people probably felt that the OFAC General License got them to the finish line when dealing with the FSB. It now does, but it did not before April 17.

Permalink Comments Off on Maybe BIS Should Read This Blog More Often

Bookmark and Share

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)