Another round in the fine proliferation race between OFAC, BIS and DDTC was played out today as the the BIS website trumpeted in headline typeface usually reserved for announcing the end of the world by impending asteroid collision (WORLD ENDS TOMORROW!!) the following news:

Texas Company to Pay $100 Million for Export Violations to

Iran, Syria, Cuba, and Other Countries

Fine is largest civil penalty ever levied by the Bureau of Industry and Security

You can almost see the Wild West sheriffs at BIS blow the smoke away from the barrels of their pistols before re-holstering them, pocketing their own $50 million share of the fine, and striding into the saloon to slam down a shot of celebratory whiskey. “That oughta show them fellers at OFAC who are the real tough guys around this town,” you can hear them muttering. (The other $50 million is going to pay criminal fines imposed as part of a deferred prosecution agreement with the U.S. Attorneys’ Office for the Southern District of Texas.)

But seriously, what is the point in boasting about the size of the fine as if this were a contest or a sports event? Is somebody giving out prizes for the largest fish caught each year?

The company involved was Weatherford International, and we’ve been writing about their export woes and this investigation since 2007. See here and here.

OFAC also announced its penalty against Weatherford today, albeit in much more restrained tones. The announcement details $60 million in sales to Cuba and $23 million in sales to Iran. It also paints a picture of a company that was wilfully unconcerned with its obligations under U.S. export and sanctions laws.

Interestingly, and perhaps as a gesture of noblesse oblige to their colleagues at BIS, OFAC noted that payment of the $100 million in fines to BIS and under the deferred prosecution agreement would satisfy the $91,026,450 fine separately imposed under the terms of the settlement agreement between Weatherford and OFAC.

(And my apologies to Harold Arlin and Ted Koehler for the title of this post. . . )

So, let’s imagine that your office is in Denver and on August 2 you sent an email to a supplier, also in Denver, with proprietary technical drawings of an export-controlled part. Your supplier has signed an NDA and has also certified that all of its employees are U.S. citizens or permanent residents. You haven’t exported that drawing, right? Or have you?

Consider this interesting bit of information:

For a brief time on Aug. 2, data traffic between two [internet service] providers in Denver didn’t just flow across town as it normally would. Instead the bits went to Iceland first, with stops in London, Montreal, New York, Dallas and Kansas City along the way.

Oh dear. That’s a problem. And it wasn’t something that just happened on one day in Denver.

The attack … targeted large Internet carriers in every major city in the U.S. and numerous major cities in Europe and around the world. …

The first incident took place during most of the month of February, when Internet traffic was silently redirected through an Internet service provider called GlobalOneBel, based in the Belarusian capital, Minsk. The targets of these attacks included financial institutions, government agencies and network service providers.

But that wasn’t the end of it.

These attacks occurred throughout February and into March. Then they stopped for awhile.

The attacks resumed in May, and almost right away the choke point switched from Belarus to Iceland. … Then they stopped again — until July. This time, the venue was again in Iceland. Beginning on July 31, traffic from a large VOIP company — Renesys wouldn’t name it — was diverted through an Internet service provider called Opin Kerfi [in Iceland].

As I’ve pointed out before, both BIS and DDTC have taken the position that any transmission of technical data outside the United States, even for a trillionth of a nanosecond** or less, is an export of the technical data. This, they say, is true even if no one in the foreign country actually sees or intercepts the message. And, even more astoundingly, this is true even if the message is encrypted and would be unintelligible to anyone but the intended domestic recipient. And although the fact that you didn’t intend the email to leave the country is only a defense to criminal charges, that is cold comfort when the civil fines, which don’t require showing intent, are $250,000 per violation.

So you’d better stop emailing technical data and send it by regular mail or bike messenger (as long as the bike messenger is a U.S. citizen or permanent resident, of course). Pneumatic tubes are another possible option for delivery.

All that being said, and given that the Luddite solution of forsaking the Internet may not be terribly practical, this is another reason to encrypt technical data that you are sending by email even if the recipient is a U.S. person firmly planted on U.S. soil. No, the encryption isn’t a defense to the violation, but it is at least a mitigating factor. Remember, as I posted last May, that the U.S. military thinks it can put ITAR-controlled technical data on a Chinese satellite if it’s encrypted; so if you don’t have anything else to say in your defense when an email with export controlled data accidentally wanders through Lithuania, you will at least have that.  And maybe one day in the distant future, BIS and DDTC will admit that the Internet exists and that encryption works.

*Title reference here.

** For less technical readers, a trillionth of a nanosecond is approximately the time between when a red light changes to green and the cab driver behind you honks his horn.