Archive for the ‘DDTC’ Category


Jun

24

It’s Good To Be The King


Posted by at 11:15 pm on June 24, 2014
Category: DDTCITARUSML

Intersil Low Dose Irradiator via http://www.intersil.com/en/applications/rad-hard/eldrs.html [Fair Use]Last week the Directorate of Defense Trade Controls (“DDTC”) announced that it had fined Intersil Corporation, a California-based manufacturer and developer of semiconductors and integrated circuits, $10,000,000 of which $6,000,000 goes to Uncle Sam and the remaining $4,000,000 goes to Intersil’s compliance program and remedial measures. Along with the fines, DDTC has required Intersil to jump through a number of now-typical compliance and re-education hoops, including appointing an ombudsman, hiring a special compliance officer, rewriting its compliance programs, engaging in audits, making frequent reports to DDTC and writing “I will not violate the ITAR” three million times on a blackboard after school. Well, of course, only the last item was not actually required.

According to the Proposed Charging Letter, Intersil incurred the ire of DDTC by classifying certain of its products as ECCN 3A001.a.1, 3A001.a.2, and EAR99 even though the items were radiation hardened and space qualified and, therefore, covered instead by USML Category XV(e). Why Intersil made this mistake is not revealed in the documents but since Intersil was applying for BIS licenses for the goods when required, it is hard to imagine that it was anything other than a good faith mistake (which is, probably, the reason why this information is omitted.) As a result, there were 3,152 unauthorized exports of Intersil’s products, although, due to the statute of limitations, only 339 exports were actually charged, with DDTC swearing left and right that although it couldn’t help mentioning the 3,152 exports it was paying absolutely no attention whatsoever to those in formulating the $10 million penalty.

But here is the most interesting part of the charging documents:

Several of the unauthorized exports were subsequently re-exported or retransferred without authorization due in part to the misclassification of the ICs.On August 20, 2010, a DDTC official misinformed Intersil that for any ICs that “HAVE already been exported under EAR jurisdiction, these [ICs] ARE NOT retroactively subject to the retransfer provisions of 22 CFR 123.9.: Intersil was further misadvised that Intersil did not need to inform its foreign customers to submit ITAR re-export authorization for these items and that this “decision to not retroactively aply USML controls for these already exported [ICs] will continue to be applicable even if a future formal CJ determination asserts USML controls apply.”

Interestingly, notwithstanding this bad advice, Intersil is charged with causing various unauthorized re-exports from, and retransfers in, foreign countries due to its misclassification of the integrated circuits. Whether or not any of these were the result, at least in part, of DDTC’s admittedly bad advice that the retransfer provisions would not apply to items exported under the EAR is not clear, but let’s give DDTC the benefit of the doubt and assume that these were all unrelated.

Even so, there is still an interesting moral to this story. Exporters who make mistakes have to pay large fines and engage in burdensome remediation activities. DDTC officials who make mistakes have to do, er, well, nothing at all because, well, you know, mistakes happen. As they say, it’s good to be the king.

Permalink Comments (3)

Bookmark and Share



Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share



Jun

10

Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports


Posted by at 6:19 pm on June 10, 2014
Category: DDTCPart 122

By Spc. Jeffery Sandstrum via http://usarmy.vo.llnwd.net/e2/-images/2007/11/01/9792/ [Public Domain]Carlos Dominguez and his Madrid-based company Elint SA have been administratively debarred by the Directorate of Defense Trade Controls in connection with his unauthorized re-exports and re-transfers of night vision equipment shipped to him from the United States pursuant to DDTC licenses. The unauthorized re-exports and re-transfers were discovered by so-called Blue Lantern checks conducted by foreign embassy staff at the request of the DDTC to determine the ultimate disposition of items exported from the United States pursuant to DDTC licenses. (Interestingly, the cables requesting the Blue Lantern transfers had been previously disclosed when they were leaked by WikiLeaks.)

As a result of the unfavorable Blue Lantern checks, DDTC first imposed in 2009 a policy of denial on Dominguez and Elint. In 2010, DDTC followed up by sending a directed disclosure demand to Elint and Dominguez. A directed disclosure is a DDTC demand that the recipient investigate its export practices and provide to DDTC a list of all its export violations, a request that Dominguez and Elint not surprisingly ignored. A charging letter followed, also ignored, which led to a finding of default by an administrative law judge and the instant order of debarment.

Although section 127.7 of the ITAR specifies that such administrative debarments are “generally” for a period of three years, the order against Dominguez and Elint mentions no time period and is, presumably, permanent. It is safe to say that DDTC is not amused with Dominguez, and this appears to be in large part because of considerable evidence alleged by DDTC that Dominguez tried to evade the policy of denial by setting up shell companies and acting through third parties.

Interestingly, DDTC claims that it has the authority to issue “directed disclosures” under section 122.5(b) of the ITAR, which is, at best, a rather fanciful construction of that section. That section requires that records “maintained” under section 122.5 must be made available to DDTC, but says nothing about any obligation to create new records at the request of DDTC and then provide them. More interestingly, section 122.5 applies to “persons required to register” under Part 122. That obligation is imposed on persons who engage “in the United States in the business of manufacturing or exporting” defense articles. That, of course, does not cover foreign end users of U.S. exports, so it is not at all clear how DDTC can justify issuing the directed disclosure to Dominguez under section 122.5(b).

Permalink Comments Off

Bookmark and Share



Mar

27

BIS Halts Processing on All Export Licenses for Russia


Posted by at 12:28 pm on March 27, 2014
Category: BISDDTCRussia Sanctions

A notice that further processing of all export licenses for CCL items to Russia just appeared in the last several days in the slider on the home page of the website for the Bureau of Industry and Security (“BIS”):

(I’m posting a screenshot because there is no reliable permalink to the slider image).

Existing licenses are not affected; only license applications that were not granted as of March 1, 2014, are covered by this policy. Compare this to the U.K. action which suspended all existing licenses and applications for military and dual-use items destined for the Russian military “which could be or are being deployed against Ukraine.” The State Department has not yet taken action on licenses and applications for USML items to Russia, although possible action in that regard is rumored.

UPDATE: DDTC has just posted this on the home page of its website:

The Department of State has placed a hold on the issuance of licenses that would authorize the export of defense articles and defense services to Russia. State will continue this practice until further notice.

Permalink Comments Off

Bookmark and Share



Mar

5

Ignorance Is Indeed a Defense: NASA Ames Edition


Posted by at 6:06 pm on March 5, 2014
Category: DDTCDeemed ExportsITAR

Aerial View of NASA Ames Research Center https://www.facebook.com/photo.php?fbid=10151655073516394&set=pb.338122981393.-2207520000.1394054211.&type=3&theater [Public Domain]The NASA Office of Inspector General completed its investigation of unlicensed releases of ITAR-controlled technology to foreign nationals working at the Ames Research Center and — surprise! surprise! — it found no evidence of any violations of law. According to a summary of the OIG report, ITAR-controlled information was released without proper authorization to foreign nationals working at Ames. However, this was not a violation of law, just “poor judgment,” which is a nice way of saying that ignorance of the law can be a defense if you work at NASA and are being investigated by the NASA OIG. The full report was withheld because of privacy concerns, i.e., it mentioned the names, I would presume, of all the people running around at Ames and exercising poor judgment.

As they say on the car commercials: “Professional government workers exporting on closed course. Do not attempt this yourself.” In other words, “poor judgment” will not be enough to exonerate deemed exports in the private sector.

The reason for this all being just a lapse of judgment and not an export violation is this:

We … found significant disagreement between scientists and engineers at Ames and export control personnel at the Center and NASA Headquarters as to whether the work the foreign nationals were performing at Ames involved ITAR-controlled technology.

For you and me, such confusion means you need to file a Commodity Jurisdiction request with the State Department to clear things up. For NASA workers it means that export controls are hard and engineers can’t be blamed for getting hard questions wrong. This statement is somewhat incredible in the context of this finding in the report:

In addition, on two occasions a senior Ames manager inappropriately shared documents with unlicensed foreign nationals that contained ITAR markings or had been identified as containing ITAR-restricted information by NASA export control personnel.

But, yeah, everybody was still confused and disagreeing over whether this stuff was ITAR-controlled or not.

Then we have the part of the report which suggests that Professor Roth probably wishes he worked at NASA and not the University of Tennessee.

We also found that a foreign national working at Ames inappropriately traveled overseas with a NASA-issued laptop containing ITAR-restricted information. Even though the foreign national had an ITAR license at the time, the regulations forbid taking such export-controlled information out of the country. However, we were unable to substantiate concerns that the foreign national shared ITAR-protected information while overseas.

Professor Roth is sitting in a federal correctional facility in part because he carried a laptop with ITAR-controlled data to China without any evidence whatsoever that he even opened those files on his computer while in China. I think this is what some people might call a double standard.

Permalink Comments (3)

Bookmark and Share