Archive for the ‘Deemed Exports’ Category


Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share



Mar

5

Ignorance Is Indeed a Defense: NASA Ames Edition


Posted by at 6:06 pm on March 5, 2014
Category: DDTCDeemed ExportsITAR

Aerial View of NASA Ames Research Center https://www.facebook.com/photo.php?fbid=10151655073516394&set=pb.338122981393.-2207520000.1394054211.&type=3&theater [Public Domain]The NASA Office of Inspector General completed its investigation of unlicensed releases of ITAR-controlled technology to foreign nationals working at the Ames Research Center and — surprise! surprise! — it found no evidence of any violations of law. According to a summary of the OIG report, ITAR-controlled information was released without proper authorization to foreign nationals working at Ames. However, this was not a violation of law, just “poor judgment,” which is a nice way of saying that ignorance of the law can be a defense if you work at NASA and are being investigated by the NASA OIG. The full report was withheld because of privacy concerns, i.e., it mentioned the names, I would presume, of all the people running around at Ames and exercising poor judgment.

As they say on the car commercials: “Professional government workers exporting on closed course. Do not attempt this yourself.” In other words, “poor judgment” will not be enough to exonerate deemed exports in the private sector.

The reason for this all being just a lapse of judgment and not an export violation is this:

We … found significant disagreement between scientists and engineers at Ames and export control personnel at the Center and NASA Headquarters as to whether the work the foreign nationals were performing at Ames involved ITAR-controlled technology.

For you and me, such confusion means you need to file a Commodity Jurisdiction request with the State Department to clear things up. For NASA workers it means that export controls are hard and engineers can’t be blamed for getting hard questions wrong. This statement is somewhat incredible in the context of this finding in the report:

In addition, on two occasions a senior Ames manager inappropriately shared documents with unlicensed foreign nationals that contained ITAR markings or had been identified as containing ITAR-restricted information by NASA export control personnel.

But, yeah, everybody was still confused and disagreeing over whether this stuff was ITAR-controlled or not.

Then we have the part of the report which suggests that Professor Roth probably wishes he worked at NASA and not the University of Tennessee.

We also found that a foreign national working at Ames inappropriately traveled overseas with a NASA-issued laptop containing ITAR-restricted information. Even though the foreign national had an ITAR license at the time, the regulations forbid taking such export-controlled information out of the country. However, we were unable to substantiate concerns that the foreign national shared ITAR-protected information while overseas.

Professor Roth is sitting in a federal correctional facility in part because he carried a laptop with ITAR-controlled data to China without any evidence whatsoever that he even opened those files on his computer while in China. I think this is what some people might call a double standard.

Permalink Comments (3)

Bookmark and Share



Feb

28

There’s a Nice Knock-Down Argument for You


Posted by at 5:16 pm on February 28, 2014
Category: BISDeemed Exports

Intevac HQ http://www.waymarking.com/gallery/image.aspx?f=1&guid=0efe8498-3735-4754-b1d9-e8e56cea9333 [Fair Use]It should come as little surprise that federal agencies, whether they sit on a wall or not, believe that a word means what they “choose it to mean — neither more nor less.” So when the Bureau of Industry and Security (“BIS”) says that “visual inspection” and “oral exchanges” mean “giving a system password,” well, you can wring your hands about the violence to the English language involved in such a semantic contortion and you can make obscure references to Humpty Dumpty. But that’s about it.

In a recently announced civil penalty imposed by BIS against Santa Clara based Intevac, the enforcement folks at BIS trampled over their own definitions in order to justify a $115,000 fine against the Company for giving a password to a foreign national employee that would allow him to access hard disk technology controlled by ECCN 3E001. Specifically at issue were drawings, blueprints and part numbers that resided on a company server. According to the charging documents

Intevac released the technology . . . by providing the Russian national employee with a login identification code and a password that enabled him to view, print and create attachments.

Now let’s take a moment to do something adventurous; let’s actually look at BIS’s definition in § 734.2(b)(3) of the EAR for “release of technology of software:”

Technology or software is “released” for export through:

(i) Visual inspection by foreign nationals of U.S.-origin equipment and facilities;

(ii) Oral exchanges of information in the United States or abroad; or

(iii) The application to situations abroad of personal knowledge or technical experience acquired in the United States.

Clearly, simply giving out a password that enables access to a technology is neither a visual inspection or oral exchange of the technology. Unless the password is actually used by the foreign national to access the technology itself, something the charging documents rather coyly refuse to assert, there has been no release of technology. Granted the language here is ambiguous and perhaps the Russian national did see the technology at issue, but saying that the password “enabled him to view, print and create attachments” is an odd way of saying that.

The background here is that the Directorate of Defense Trade Controls (“DDTC”) has, at least since the Consent Agreement in the General Motors case, taken the position that with respect to ITAR-controlled technical data the “ability to access” such data is a deemed export whether actually accessed or not. This does equal violence to the definition of export in § 120.17 of the ITAR which refers to “disclosing (including oral or visual disclosure) or transferring technical data to a foreign person.” Again, to ordinary speakers of the English language permitting access and disclosing are two different things. Perhaps BIS in the Intevac case is just exhibiting a bad case of me-too-itis and does not want anyone to think that DDTC is rougher and tougher on deemed export issues than BIS.

Permalink Comments (1)

Bookmark and Share



Nov

7

Naming Names


Posted by at 10:09 pm on November 7, 2013
Category: BISDDTCDeemed ExportsExport Reform

By MediaPhoto.Org (mediaphoto.org Own work) [CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ARussian_passports.jpgThe Bureau of Industry and Security has released new guidance on deemed re-exports which is intended to deal with issues arising when a U.S. company exports technology to a foreign company that then re-exports that technology to its own employees which are not of the same nationality as the foreign company receiving the technology export. The purpose of the guidance is to address certain issues raised by the current export control reform effort and, specifically, to deal with re-exports of technology relating to the newly created 600 series of items that have been transferred from the United States Munitions List (“USML”) to the Commerce Control List (“CCL”).

As the guidance notes, one of the overarching principles of the export control effort is that military items moved from the USML to the CCL should not thereby be subjected to more stringent controls than were applicable to the item when it was on the USML. Under the International Traffic in Arms Regulations (the “ITAR”) “technical data” is subject to certain license exemptions permitting technical data, in certain cases, to be transferred without license by foreign companies to their employees who are not of the same nationality as the foreign company. These employees include “third country nationals” who are nationals of countries other than the nationality of the foreign company involved and “dual nationals” which are nationals of two countries, one of which may, but does not necessarily include, the nationality of the foreign company.

The first of these exceptions, found in section 124.16 of the ITAR,  allows such retransfer from companies in NATO countries, the EU, Australia, Japan, New Zealand and Switzerland to retransfer technologies to third country nationals who are also from such countries and subject to certain further conditions. And the other exception, found in section 126.18, permits intra-company transfers of technical data from the foreign company to employees without regard to the country restrictions of 124.16 but subject to certain other restrictions such as requiring the third country national employees to sign non-disclosure agreements and requiring the company to assure that the third country national doesn’t have “substantive contacts” with countries subject to arms embargoes under section 126.1 of the ITAR.

Nothing in the Export Administration Regulations (the “EAR”) provides equivalent license exceptions to permit the transfer of technology to nationals of NATO countries, the EU, Australia, Japan, New Zealand, and Switzerland without a license as permitted by section 124.16 of the ITAR. Accordingly, the new guidance indicates that it is the policy of BIS to permit transfers of technology relating to series 600 items without a license if the conditions of 124.16 are fulfilled. Also to the extent that section 126.18 of the ITAR permits transfers to third country nationals outside of the EU, Australia, Japan, New Zealand and Switzerland if they sign an NDA and are screened for contacts with embargoed countries, BIS will permit similar transfers of series 600 technology.

The situation with section 126.18 is more complicated because section 126.18 addresses an issue under the ITAR that is not a problem under the EAR, namely the problem of dual nationals born in countries subject to arms embargoes. Section 126.18 was designed to deal with the thorny problem of dual nationals under DDTC which require that a dual national should be treated as a citizen of both countries. Accordingly a naturalized U.K. citizen born in China would still be treated as Chinese, and thus ineligible to receive ITAR-controlled technical data even if he had been awarded the OBE by the Queen because, in DDTC’s eyes, that dual national was irrevocably and permanently tainted with Chinese blood. Although such discrimination would be illegal if applied by DDTC in the United States, DDTC saw no problem with applying this rule in foreign countries even if it would, as it often did, violate the human rights laws of that foreign country to discriminate against someone solely based on place of birth. Under BIS rules, in contrast,
a person is treated as a citizen of the country of his or her most recent nationality. A naturalized UK citizen would be treated simply as a UK citizen without regard to the fact that he or she was born in China and was once Chinese. Thus, strictly speaking, the BIS guidance does not need to implement those parts of 126.18 as they relate to dual nationals.

There is, however, one problem relating to technology re-exports for series 600 items where the transfer from the USML to the EAR will subject the technology to more stringent requirements and which is not addressed by this guidance. Under DDTC’s application procedures, a U.S. exporter seeking authority for a foreign company to transfer technical data to its third country and dual nationals, the U.S. exporter need only list the nationalities of the employees. In other words, the U.S. exporter says, for example, that the technical data will be exported to French, German and Mexican nationals. Under BIS application guidelines, however, the U.S. exporter must give the names, passport numbers and addresses for each employee that will receive the technology re-export. In addition to that, a resume for each individual, showing education, employment history and military service, must be provided for each employee.

Over and above the obvious burden of compiling this information in the first place, the U.S. exporter will be required to obtain amendments or new authorizations each time the foreign transferee hires new employees in the affected program area. Under DDTC’s rules, an amendment is required only if an employee with a nationality not previously approved is hired. Granted this burden can be minimized to some extent through reliance on section 126.18, but this may not be possible where the foreign employer is either unable or unwilling to comply with all of the conditions required by section 126.18, including screening employees for contacts with embargoed countries, maintaining records of this screening, and fulfilling the other requirements of section 126.18.

Permalink Comments Off

Bookmark and Share



May

28

Hackers Are Exporters Too


Posted by at 5:50 pm on May 28, 2013
Category: DDTCDeemed Exports

By Poa Mosyuen (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File:HK_%E7%9F%B3%E5%A1%98%E5%92%80%E5%B8%82%E6%94%BF%E5%A4%A7%E5%BB%88_Shek_Tong_Tsui_Municipal_Services_Building_%E9%9B%BB%E8%85%A6%E9%8D%B5%E7%9B%A4_Chinese_input_keyboard_Jan-2012.jpgThe Washington Post reported today that a confidential report from a Pentagon advisory group indicated that Chinese hackers had obtained sensitive military plans for a number of defense systems, including the Patriot Missile PAC-3, the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship. The report did not specify whether these plans had been obtained by hackers from computers operated by the U.S. government or by the defense contractors involved.

So with this blockbuster revelation in hand, think for a moment about the ITAR-controlled technical data sitting on your computer system. You’ve gone to all the trouble to secure these files and prevent access by persons in your company who aren’t U.S. nationals. Then you’re hacked and this data is exfiltrated to China. What now?

Well, for starters, consider this: the definition of “export” in section 120.17 of the International Traffic in Arms regulations does not have a carve out for data hacked out of your system by foreign nationals. In fact, it covers “transferring technical data to a foreign person, whether in the United States or abroad,” without specifying how that transfer occurs. And make no mistake about it: when your system has been hacked by the People’s Liberation Army, it has transferred technical data to foreign nationals.

“But I didn’t mean for that data to be shipped to China!” you protest. Well, that may mean you lack the necessary scienter for a criminal prosecution, but civil penalties do not require intent. That also means it is probably time to think about a voluntary disclosure. And of course, one of the mitigating factors will be that you did not intentionally transfer the data to the PRC.

But here is the rub. Maybe you did not send the PLA an engraved invitation asking them to come hack your system, but maybe you also did not really have robust systems in place to prevent hacking. Often hackers get control of systems by sending infected links to employees. What protections do you have in place to prevent employees from clicking links in emails from outside the system? What systems do you have in place to monitor outbound traffic from your computers? And if you say, well, we have X or Y antivirus installed, you are going to hear the sad trombone because hackers can get around commercial antivirus software faster than Lindsey Lohan can sneak out of rehab.

Consider the Washington Post story a warning. It’s time to take a hard look at your security systems so that you either do not have to file a voluntary disclosure that you’ve been hacked or,  if you do have to make such a disclosure, you can honestly say you took every reasonable precaution.

Permalink Comments (6)

Bookmark and Share