Archive for the ‘Deemed Exports’ Category


Feb

17

UMass Bans Iranian Students


Posted by at 7:34 pm on February 17, 2015
Category: Deemed ExportsIran Sanctions

UMass Amherst Student Union by Trace Meek [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/tracemeek/8972271164 [cropped]

[UPDATES BELOW]

Why solve a problem with a scalpel when there is a sledgehammer nearby? That is the question that UMass Amherst administrators must have asked themselves when they decided to ban all Iranian students from their graduate-level science and engineering programs. The problem, of course, that had the administrators in a tizzy was the fear that the university might engage in deemed exports of export-controlled technology to those Iranian students.

It seems, however, that the UMass administrators perhaps need themselves a little education in export law. For starters, the Export Administration Regulations (“EAR”) make clear in section 734.9 that information “released by instruction in catalog courses and associated teaching laboratories of academic institutions” is not subject to the EAR and that, therefore, teaching this information to Iranians (or any other foreign student) is not a violation of the EAR.

Perhaps the administrators are afraid that school labs might have export-controlled equipment and that Iranians, if they have access to these machines, might be considered to have received export-controlled technology. That may be a legitimate concern, but it is not one that is restricted to Iranians. To solve this problem, UMass would have to boot all foreign students.

Nor is there any merit in the argument, apparently made by a “policy analyst” at a small DC firm cited in the linked article, that this result is mandated by section 501 of the Iran Threat Reduction and Syria Human Rights Act. That section prohibits the State Department from issuing visas to an Iranian to attend a U.S. university “to prepare … for a career in the energy sector of Iran or in nuclear science or nuclear engineering or a related field in Iran.” To begin with, this section imposes on obligation only on the State Department and not on any university in regard to its relation with a student once such a visa was granted. Nor does the prohibition extend to all fields in science and engineering, unless, somehow, a graduate degree in biology prepares one to work in the energy or nuclear field.

Beyond that, the University runs the risk of violating the anti-discrimination provisions of the Immigration and Nationality Act. Those provisions prohibit discrimination in employment against a legally-admitted foreign national based on his or her national origin. Since graduate students normally receive employment from their universities, a total ban on Iranian graduate students could very likely be seen as a violation of those prohibitions.

UPDATE: An email from the DC firm discussed in this post indicates that their policy analyst did not state in the interview cited in the linked article that section 501 of the Iran Threat Reduction and Syria Human Rights act mandated the position taken by UMass Amherst.  The email goes on to state that the law firm also believes, as I do, that the UMass Amherst policy is overbroad.

SECOND UPDATE:  Do you think maybe the folks at UMass Amherst read this post?  Probably not, but for whatever reason they’ve already reversed their policy banning Iranian graduate students in science and engineering.

 

Permalink Comments (1)

Bookmark and Share



Aug

19

Chinese Hacker Nabbed on Export Charges


Posted by at 9:20 pm on August 19, 2014
Category: Arms ExportCriminal PenaltiesDDTCDeemed Exports

Stephen Su photo taken by CBP during U.S. transit in 2011 via http://www.cbc.ca/news/canada/british-columbia/su-bin-chinese-man-accused-by-fbi-of-hacking-in-custody-in-b-c-1.2705169 [Public Domain]
ABOVE: Stephen Su


Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.

Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience.  Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China.  Last Friday, Su was indicted by a federal grand jury in California.

One of the charges in the indictment is a violation of the Arms Export Control Act.  The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.

The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details.  First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves.   Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC.   Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions.  One wonders if the NSA is training folks in Morse Code and invisible ink.  What’s next?  Microdots?

Permalink Comments Off

Bookmark and Share



Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share



Mar

5

Ignorance Is Indeed a Defense: NASA Ames Edition


Posted by at 6:06 pm on March 5, 2014
Category: DDTCDeemed ExportsITAR

Aerial View of NASA Ames Research Center https://www.facebook.com/photo.php?fbid=10151655073516394&set=pb.338122981393.-2207520000.1394054211.&type=3&theater [Public Domain]The NASA Office of Inspector General completed its investigation of unlicensed releases of ITAR-controlled technology to foreign nationals working at the Ames Research Center and — surprise! surprise! — it found no evidence of any violations of law. According to a summary of the OIG report, ITAR-controlled information was released without proper authorization to foreign nationals working at Ames. However, this was not a violation of law, just “poor judgment,” which is a nice way of saying that ignorance of the law can be a defense if you work at NASA and are being investigated by the NASA OIG. The full report was withheld because of privacy concerns, i.e., it mentioned the names, I would presume, of all the people running around at Ames and exercising poor judgment.

As they say on the car commercials: “Professional government workers exporting on closed course. Do not attempt this yourself.” In other words, “poor judgment” will not be enough to exonerate deemed exports in the private sector.

The reason for this all being just a lapse of judgment and not an export violation is this:

We … found significant disagreement between scientists and engineers at Ames and export control personnel at the Center and NASA Headquarters as to whether the work the foreign nationals were performing at Ames involved ITAR-controlled technology.

For you and me, such confusion means you need to file a Commodity Jurisdiction request with the State Department to clear things up. For NASA workers it means that export controls are hard and engineers can’t be blamed for getting hard questions wrong. This statement is somewhat incredible in the context of this finding in the report:

In addition, on two occasions a senior Ames manager inappropriately shared documents with unlicensed foreign nationals that contained ITAR markings or had been identified as containing ITAR-restricted information by NASA export control personnel.

But, yeah, everybody was still confused and disagreeing over whether this stuff was ITAR-controlled or not.

Then we have the part of the report which suggests that Professor Roth probably wishes he worked at NASA and not the University of Tennessee.

We also found that a foreign national working at Ames inappropriately traveled overseas with a NASA-issued laptop containing ITAR-restricted information. Even though the foreign national had an ITAR license at the time, the regulations forbid taking such export-controlled information out of the country. However, we were unable to substantiate concerns that the foreign national shared ITAR-protected information while overseas.

Professor Roth is sitting in a federal correctional facility in part because he carried a laptop with ITAR-controlled data to China without any evidence whatsoever that he even opened those files on his computer while in China. I think this is what some people might call a double standard.

Permalink Comments (3)

Bookmark and Share



Feb

28

There’s a Nice Knock-Down Argument for You


Posted by at 5:16 pm on February 28, 2014
Category: BISDeemed Exports

Intevac HQ http://www.waymarking.com/gallery/image.aspx?f=1&guid=0efe8498-3735-4754-b1d9-e8e56cea9333 [Fair Use]It should come as little surprise that federal agencies, whether they sit on a wall or not, believe that a word means what they “choose it to mean — neither more nor less.” So when the Bureau of Industry and Security (“BIS”) says that “visual inspection” and “oral exchanges” mean “giving a system password,” well, you can wring your hands about the violence to the English language involved in such a semantic contortion and you can make obscure references to Humpty Dumpty. But that’s about it.

In a recently announced civil penalty imposed by BIS against Santa Clara based Intevac, the enforcement folks at BIS trampled over their own definitions in order to justify a $115,000 fine against the Company for giving a password to a foreign national employee that would allow him to access hard disk technology controlled by ECCN 3E001. Specifically at issue were drawings, blueprints and part numbers that resided on a company server. According to the charging documents

Intevac released the technology . . . by providing the Russian national employee with a login identification code and a password that enabled him to view, print and create attachments.

Now let’s take a moment to do something adventurous; let’s actually look at BIS’s definition in § 734.2(b)(3) of the EAR for “release of technology of software:”

Technology or software is “released” for export through:

(i) Visual inspection by foreign nationals of U.S.-origin equipment and facilities;

(ii) Oral exchanges of information in the United States or abroad; or

(iii) The application to situations abroad of personal knowledge or technical experience acquired in the United States.

Clearly, simply giving out a password that enables access to a technology is neither a visual inspection or oral exchange of the technology. Unless the password is actually used by the foreign national to access the technology itself, something the charging documents rather coyly refuse to assert, there has been no release of technology. Granted the language here is ambiguous and perhaps the Russian national did see the technology at issue, but saying that the password “enabled him to view, print and create attachments” is an odd way of saying that.

The background here is that the Directorate of Defense Trade Controls (“DDTC”) has, at least since the Consent Agreement in the General Motors case, taken the position that with respect to ITAR-controlled technical data the “ability to access” such data is a deemed export whether actually accessed or not. This does equal violence to the definition of export in § 120.17 of the ITAR which refers to “disclosing (including oral or visual disclosure) or transferring technical data to a foreign person.” Again, to ordinary speakers of the English language permitting access and disclosing are two different things. Perhaps BIS in the Intevac case is just exhibiting a bad case of me-too-itis and does not want anyone to think that DDTC is rougher and tougher on deemed export issues than BIS.

Permalink Comments (1)

Bookmark and Share