Some Things Change; Some Things Don’t
Posted by Clif Burns at 9:14 pm on March 9, 2010
Category: Cuba Sanctions • Iran Sanctions • Sudan • Syria • Technology Exports
Here’s what has changed at OFAC. Yesterday OFAC announced a general license for Iran and Sudan that would permit export of
certain services and software incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.
To be eligible the services must be offered free of charge and any software must be EAR99, not subject to the EAR, or mass market software classified under ECCN 5D992. Also, the exporter must not have any reason to believe that the services or software is destined to be used by the government of Sudan or Iran. A similar license was announced for Cuba but it only covered services since BIS controls exports of software to Cuba. Any bets on how long it will take for BIS to act to permit these software exports to Cuba? BIS action will also be necessary for similar exports to Syria.
And here is what hasn’t changed at OFAC. Today OFAC announced that it spent untold tens of thousands of taxpayer dollars to fine some poor schlub $575 for buying Cuban cigars over the Internet. I have to assume that this single cigar purchase will provide funds to the current Cuban government that will keep it in power for about five minutes longer than otherwise would have been the case thereby justifying all the government expense involved in imposing the fine.
Cloudy with a Chance of Fines
Posted by Clif Burns at 9:23 pm on January 12, 2010
Category: Technology Exports
As enterprises began to confront the issues raised by cloud computing, this article on TMCnet is a good reminder that export issues may be some of the most intractable. Although some clouds, like Amazon’s EC2, provide servers in defined locations, other cloud providers, Google notably, are more secretive about where their clouds are located or on which clouds user data is stored. If ITAR-controlled technical data or CCL-controlled technology is stored by a U.S. company on a cloud outside the United States, an export has occurred. If no license has been obtained it is safe to say that this is going to be a cloud without a silver lining.
BIS did issue an advisory opinion in January 2009 on cloud computing. The advisory opinion was requested by an unnamed provider of cloud computing service and fails to address the export issues relating to users of such cloud computing services. In the advisory opinion, BIS stated, among other things, that the provision of cloud computing services is not an export subject to the EAR and that the cloud provider is not considered to be the exporter of any data that users place on and retrieve from the cloud.
The TMCnet article focuses unduly on the location of the server while neglecting that even if the cloud is wholly within the United States an export could occur if foreign nationals employed by the cloud provider in the United States have access to controlled technology or technical data. The same article also neglects to point out that export issues are raised in other Internet contexts. If an email contains controlled technology or technical data an illegal export will have occurred if the email transits a foreign server even if the email is sent from a server in the United States and is addressed to a server in the United States. The same issue could exist for VOIP voice communications if the VOIP provider utilizes any servers located outside the United States.
The BIS advisory opinion shows a laudable effort to understand and accommodate issues posed by cloud technology, at least from the perspective of the cloud provider. Hopefully, it will show the same practical considerations for users of cloud technology. Whether OFAC and DDTC will demonstrate similar understanding of the technology remains to be seen.