ExportLawBlog » Deemed Exports

Archive for the ‘Deemed Exports’ Category

Aug

9

Are You Now, or Have You Ever Been, a Spy?

Posted by Clif Burns at 5:00 pm on August 9, 2011

With the August 15 implementation date for the new dual and third country national rule fast approaching, I wanted to comment briefly on the Sample Questionnaire that the Directorate of Defense Trade Controls (“DDTC”) has proposed as an example of something foreign companies should use to review whether a dual or third-country national has “substantive contacts” with other countries. Under the new rule, foreign companies covered by a technical assistance agreement (“TAA”) can share technical data with full-time employees who are also nationals of countries other than the company receiving the data under the TAA. One of the conditions, however, for using that rule is that the foreign licensee must examine the “substantive contacts” of that third-country or dual national with other countries to determine whether there is a risk of diversion of the technical data outside the home country of the foreign licensee.

The sample questionnaire proposed by DDTC represents the agency’s suggestion as to one way that such screening should take place. Some of the questions are poorly drafted, and many of the others are just plain silly and can be roughly paraphrased as simply asking the person involved whether or not he or she is a foreign spy — as if they would answer that question truthfully if they were.

In the poor drafting category, we have this question:

Do you have business contacts, business partners, business contracts, brokers, or any other relationship with a business in another country or other countries subject to U.S. or U.N. embargo?

Because the question as to whether there are contacts with “another country” would necessarily include countries subject to embargo, the final clause is unnecessary and potentially confusing.

Also in the poorly drafted category, we have this incredibly broad inquiry:

Have you ever served in or provided information to the government of another country (e.g., military, foreign ministry, intelligence agency or law enforcement)?

Anybody who has ever traveled to a foreign country would have to answer this affirmatively because of the requirement to provide information to customs and immigration officials upon entry in to the country. And, of course, a third country national will have provided tons of information to his home country government in terms of tax returns, driver’s license applications, and the like. And what about state-owned enterprises? Does information provided to them constitute information provided to the government?

Then we have the “are you a spy” questions:

Do you have contacts with any other individuals or groups involved in acquiring controlled defense articles, including technical data, illegally or otherwise circumventing export control laws? Please explain the nature of that contact.

Do you have contacts with agents from another country or another country’s government?

Do you have contacts with agents from another country or another country’s government?

It is a little known historical fact that Mata Hari, when asked questions of these sorts, broke down into tears, confessed to the French government that she was a spy and asked to be immediately taken to the firing squad for execution.

The questionnaire also has the dual or third country national attest that he or she has given the company complete and accurate “social networking addresses.” Apparently whoever wrote this had heard that all the kids these days do these Twitter and Facebook thingies but didn’t really understand how any of them worked. There really isn’t any such thing as a “social network address,” unless the DDTC expects that something like www.facebook.com be provided as a response to this question. Presumably the idea here would be that the employee has allowed the company to follow or “friend” the employee on Facebook, Twitter, Google Plus or the like. This would mean, I guess, that the foreign licensee will then inspect all the tweets or postings of the employee to make sure that he or she hasn’t said in one or more of them that they are passing controlled technical data to foreign government agents. It is probably easier just to not use the exemption.

Permalink

Comments (2)

Jul

26

Cloudy, With A Chance of Heavy Fines

Posted by Clif Burns at 5:45 pm on July 26, 2011

Category: Deemed Exports • Export Reform • Technical Data Export

The Brookings Institution just issued a brief report entitled “Addressing Export Control in the Age of Cloud Computing.” The report raises more issues than it answers, which is not surprising given the brevity of the report and the uncertain state of the application of export rules and regulations to cloud computing.

One thing the report gets quite right is its observations that the questions of the application of export law to cloud computing are issues that pre-date the current cloud computing phenomenon and were raised initially by the trans-national characteristics of the Internet itself. Consider this example provided by the report:

Person A, a U.S. citizen located in the United States, sends an e-mail containing EAR-restricted information in the body of the message to Person B, a U.S. citizen who normally works at a location in the United States. Unbeknownst to Person A, Person B is on a short trip overseas. Person B logs onto his e-mail while overseas using a public computer in the lobby of his hotel, sees that he has an e-mail message from Person A, but since he does not have any reason to believe in advance that it will contain EAR-restricted information, proceeds to click on the message and read it.

Assuming this is an export violation, and under a literal reading of the Export Administration Regulations (“EAR”) it would be, who has broken the rules? The party sending the email without knowing it was going to leave the country or the party opening the email not knowing it contained export controlled data? The report piles on another question and another wrinkle: suppose the email provider moved the email on to a foreign server after noticing that Person B was accessing the email from abroad. Is the email provider guilty of an export violation? These same issues that are posed by a simple email are also posed when companies begin storing data on the cloud without full control or knowledge of where the cloud servers may be located.

Of course, the literal interpretation of export rules might well forbid the use of email, cloud services or the Internet in general with respect to export-controlled data. Is it time to shut off the computers, address a bunch of envelopes, and crank up the dusty postage meter in the back of your office?

The report suggests that regulators might avoid charges of Luddism and the enshrinement of nineteenth-century concepts of exports by looking at data encryption. Under current rules, data is exported if it crosses borders whether it does so as clear or encrypted text. Perhaps securely encrypted text can find a safe harbor from traditional concepts of export. And although the regulations do not currently take this approach, I have advised people emailing export-controlled data to do so always in encrypted form to guard against things similar to the scenario posed above. If the controlled data, through the miracle of the Internet, winds up on a foreign server, at least the contents of that data aren’t available in any practicable sense to any foreign persons with access to that server. If not a defense to the export violation, it is at least going to be a mitigating factor in any penalty action.

Permalink

Comments Off

May

11

Export License Required

Posted by Clif Burns at 6:52 pm on May 11, 2011

Category: Deemed Exports

Jobs I think all the publicity of the new part of the I-129 non-immigrant visa application which asks companies to certify as to whether the company will be transferring export-controlled technology to the foreign employee is causing some confusion. I saw today a job listing for a gas turbine engineer that said this:

This position may require an export license from the Department of Commerce, Bureau of Industry and Security and/or the Department of State, Directorate of Defense Trade Controls. Issuance of any required license is a prerequisite for this position.

This is odd, because that license is only required if the person filling the position is not a U.S. citizen or permanent resident. And if the person is not, a work visa is required, which is a prerequisite prior to any export license. So why the emphasis on the requirement of an export license? Do people now think that export licenses may be required for any jobs involving controlled technical data?

Permalink

Comments (5)

Mar

8

If BIS Can’t Understand the EAR, How Are You Supposed To?

Posted by Clif Burns at 9:20 pm on March 8, 2011

Category: BIS • Deemed Exports

IBM Blue Gene Supercomputer The GAO released on March 7 a report, dated February 2, that chastised the Bureau of Industry and Security (“BIS”) for confusion within BIS concerning the proper scope and interpretation of its own deemed export rule. The precise issue is one which has confused exporters even more than BIS and which relates to whether or not giving a foreign national access to an export-controlled dual-use item, such as a high-powered computer covered by ECCN 4A003, is a deemed export or not.

The question revolves around the meaning of “use” under the Export Administration Regulations (“EAR”). For example, in the case of supercomputers controlled by ECCN 4A003, the corresponding technology ECCN 4E001 defines controlled technology as technology “for the “development”, “production”, or “use” of equipment” controlled by ECCN 4A003. “Use” is defined in the EAR as “[o]peration, installation (including on-site installation), maintenance (checking), repair, overhaul and refurbishing.” BIS has interpreted this definition to mean that the mere operation of a dual use item by a foreign national is not a deemed export; rather, a deemed export occurs only when the foreign national is given information that would permit the foreign national to engage in all six activities defined as use.

Since 1994, the GAO has been complaining that this definition is unclear because it does not take into account that controlled information is often transferred in the course of training a foreign national to use a dual use item. Presumably this means that GAO thinks that in teaching a foreign national how to operate the item, an employer or university will also transfer information relating to installation, maintenance, repair, overhaul and refurbishing of the dual use item.

Further confusion exists with respect to dual use items that are being used for fundamental research. According to the GAO report some BIS officials have said that in such an instance there is no deemed export, presumably even if information on all six use aspects is transferred. The GAO report cites an instance where this confusion caused BIS to flip-flop on license applications by the NIH designed to permit foreign nationals to work at a facility with controlled equipment. Initially, NIH took the position that because it was engaged in fundamental research, no deemed export was occurring. When BIS told NIH in 2008 that it needed export licenses notwithstanding that it was only engaged in fundamental research. Between August 2008 and December 2009, NIH applied for 37 deemed export licenses to permit foreign nationals to operate controlled equipment. In December 2009, BIS reversed course and told NIH that no licenses were necessary because NIH was engaged in fundamental research.

So which is it? Frankly, it seems to me that the project in which the controlled item is engaged is irrelevant. If a 4A003 supercomputer is being used to, say, play Jeopardy, that doesn’t mean that you could transfer to a foreign national information on how to operate, install, maintain, repair, overhaul and refurbish that computer. But what I think isn’t important. What’s important is what BIS thinks, and it seems to be of two minds on the issue.

Permalink

Comments (2)

Feb

8

Once More Unto the Breach

Posted by Clif Burns at 8:35 pm on February 8, 2011

Category: BIS • Deemed Exports

The Bureau of Industry and Security (“BIS”) previously did battle with cloud computing in an advisory opinion it released in January 2009. Almost two years later BIS charges into battle yet again, and yet again there is no clear victor.

In the 2009 advisory opinion, BIS noted that the provider of cloud computing services was only providing a service and was not exporting data or technology. Only the customer of the service could be the exporter, and only the customer of the service would be in export hot water if the data or technology was transferred in violation of the Export Administration Regulations. This logic seemed a bit at odds with the normal concept that providing access to technical data to foreign nationals was an export, but let’s not trouble ourselves here with minor details. A sly little sentence dropped at the end of the opinion also reminded everyone that the Office of Foreign Assets Control (“OFAC”) might have concerns with the provision of cloud computing services to blocked persons or embargoed destinations even if BIS did not.

Now, two years later, BIS confronts the related and more difficult question of what cloud computing service provides ought to do about their own foreign national IT staff who might have access to controlled technology placed on the cloud by the service’s customers. Not to worry, says the opinion, because the cloud computing service provider isn’t an exporter and thus can’t be a deemed exporter:

Because the service provider is not an “exporter,” [it] would not be making a “deemed export” if a foreign national network administrator monitored or screened, as described above, user-generated technology subject to the EAR.

But the problem with this logic is that the person who gives a foreign national access to controlled technology is a deemed exporter even if he isn’t an exporter. That’s why they call it a “deemed” export.

Of course, none of this addresses the 900-pound gorilla in the room which is, of course, the user of the cloud service and its liability for using a cloud service where foreign IT personnel have access to the controlled data that the user may have placed on the cloud. And don’t think the problem starts and ends with cloud computing. The Internet, is also a cloud of sorts linking various servers together to permit transit of data to its final destination. Any of those servers may have foreign network administrators who could use packet sniffers to see controlled technical data. Worse yet, the routing servers may be located in foreign countries even when the sender and the receiver are both located in the United States.

What I think we’d like to hear is what BIS and DDTC think about this. Or maybe not.

Permalink

Comments (2)