Jun

19

The Ostriches and the Kookaburra: A Fable for Our Time


Posted by at 8:38 am on June 19, 2015
Category: BISCriminal Penalties

Ostrich, Wainstalls by James Preston [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/jamespreston/8485895143[cropped]

Two austere ostriches, Osgood and Osbad, who lived near an old gum tree somewhere in the Australian outback, ran a successful business buying cattle prods made by Cow Poke, Inc., located in Kankakee, Illinois, and selling them to cattle farmers in Australia. One day they received an order from the kookaburra who lived in their old gum tree for one of their cattle prods. He even offered cash in advance and said that he would have many other orders in the future.

Osgood looked quizically at the kookaburra and wondered why a kookaburra might need a cattle prod, but decided not to ask. As it was an unusually warm afternoon, he decided to cool off by burying his head in the sand.

Osbad, dreaming of future orders and hoping to buy a bus trip to Perth for a holiday weekend, asked the kookaburra to hand over the money and promised to bring him a cattle prod right after he paid the money, which he did.

“Don’t you wonder,” said the kookaburra, “what on earth I could possibly do with a cattle prod?”

“No!” said Osbad, “I DO NOT!! It’s quite hot and I think I’ll join my mate Osgood and cool off by burying my head in the sand.”

“Actually,” said the kookaburra, “I’m selling them to my customers in Iran,” but by the time he had said the word “Iran,” Osbad’s head was completely covered with sand and he couldn’t hear a word that the kookaburra was saying.

When the Cow Poke Cattle Prods were discovered in Iran, investigators for the Bureau of Industry and Security (“BIS”) traced them back to Osgood and Osbad. The Australians served a provisional arrest warrant on the two ostriches who were subsequently extradited to the United States for trial. Once the jurors heard that Osgood and Osbad buried their heads in the sand, it was all over for poor birds, and they were convicted and sentenced to 6 years in a maximum security prison.

On appeal to the Seventh Circuit, Judge Posner upheld the conviction of Osbad and reversed the conviction of Osgood. He noted

There is no evidence that suspecting he might be [helping the kookaburra sell cattle prods to Iran, Osgood] took active steps to avoid having his suspicions confirmed. Suppose [the kookaburra] had said to him “let me tell you [where the cattle prods are really going],” and he had replied: “I don’t want to know.” That would be ostrich behavior (mythical ostrich behavior—ostriches do not bury their heads in the sand when frightened; if they did, they would asphyxiate themselves). An ostrich instruction should not be given unless there is evidence that the defendant engaged in behavior that could reasonably be interpreted as having been intended to shield him from confirmation of his suspicion that he was involved in criminal activity. [This is exactly what Osbad did, which is why we reverse for Osgood and uphold the conviction for Osbad.]

Osbad remained in maximum security prison, while Osgood was allowed to return to the outback in Australia. On his return, Osgood found a letter from BIS indicating that it had entered a thirty-year export denial order and fined him $250,000 for the sale of the cattle prods to Iran, noting that while ignoring red flags, without more, might save you from jail, it would not save you from the wrath of BIS.

Morale: If you’re going to bury your head in the sand, do it before the kookaburra sings.

The Seventh Circuit opinion in United States v. Macias, which I adapted here, makes clear that simply ignoring red flags is not enough to support the criminal intent necessary for  a conviction. The failure to engage in further due diligence in the face of red flags is not, in Judge Posner’s view, sufficient. Instead, there must be some “active avoidance” of learning the facts that the red flags suggest may be probable.  Another example of active avoidance given in the opinion involves a hypothetical situation where a landlord, fearing he has rented his property to drug dealers, changes his normal commuting route to avoid driving by the house, fearing he might see drug activity if he did.  The “active” in the “avoidance” here is changing the route.

A fuller and more serious discussion of United States v. Macias, written by my colleague Mark Srere and me, can be found here.

[Apologies to James Thurber.]

Permalink Comments (1)

Bookmark and Share





Jun

17

How To Go To Jail Right Now: A Gothamist Primer


Posted by at 9:55 pm on June 17, 2015
Category: Cuba SanctionsOFAC

Cuba - Havana - Car by Didier Baertschiger [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/didierbaertschiger/11785935544[cropped]

Popular local website group Gothamist (which is also responsible for DCist, LAist, Chicagoist, and others) ran on its websites today the intriguingly titled: “How To Go To Cuba Right Now: A Travel Primer.”  You can guess what I think of that article by my title for this post: “How To Go To Jail Right Now: A Gothamist Primer.”

The Primer is authored by Tod Seelie, who appears to be a talented photographer, who describes his trip to Cuba.  He said he wanted to go to see the old cars, the crumbling buildings and the beaches.  Wondering if it was as “easy as buying a ticket online,” he bought a ticket from a website.  He notes he “checked ‘journalistic activity,’ though my visa ultimately identified me only as a tourist.”  And he was off.

The rest of his story details how to get an AirBNB room, the different currencies for locals and tourists, the drinkability of the water, the cost of cabs, the absence of soap in bathrooms,  the skimpy miniskirts worn by Cuban customs agents, and how hard it was for him to understand Cuban Spanish because they drop their s’s at the end of words. Finally, he noted that on the way back from what appeared to be more a vacation than anything else, the only question he was asked by the CBP agent was “Did you have fun?”

Nowhere in the article does Seelie do anything to rebut the likely assumption by his readers that anybody who wants to bop around Old Havana for a weekend getaway can just book an online ticket, sign on to AirBNB to book a room, stuff a moneybelt with cash and head off for sun and mojitos. As readers of this blog know, but readers of blogs in the Gothamist empire probably won’t know, you can’t just go to Cuba as a tourist. You have to go for one of the permitted reasons set forth in the regulations.

What about Mr. Seelie? Did he break the rules? Well, he has a colorable case that he is a journalist, since the regulations include in the definition in section 515.563 “a freelance journalist with a record of previous journalistic experience working on a freelance journalistic project.” Mr. Seelie’s bio suggests he’s published some pictures in some newspapers so we’ll give him this. But, but, but, there’s this in the rules:

The traveler’s schedule of activities does not include free time or recreation in excess of that consistent with a full-time schedule.

You be the judge whether Mr. Seelie was in Cuba for full-time journalism and incidental fun or full-time fun and incidental journalism.

UPDATE:  The article in Gothamist was written by Lauren Evans; Mr. Seelie accompanied her to Cuba to take photographs.  Although Ms. Evans clearly fits, in my view, the definition of a journalist under section 515.563, she still leaves the impression that anyone can hop on a plane and go to Cuba, which, of course, is dead wrong and can lead to an unpleasant encounter with OFAC.  And the question still remains whether she, in addition to Mr. Seelie, was there for full time journalism and incidental fun or full-time fun and incidental journalism.

Permalink Comments (1)

Bookmark and Share





Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons


Posted by at 9:16 pm on June 16, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAfter the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updater overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink Comments Off

Bookmark and Share





Jun

10

The District of Columbia? Is That Somewhere in South America?


Posted by at 11:59 pm on June 10, 2015
Category: BIS

African American Civil War Memorial Metro Stop by Clif Burns via Flickr https://www.flickr.com/photos/clif_burns/12398814043/ [with permission]Those of us who live in the District of Columbia are used to, if not content with, the routine indignities imposed on us as residents of that tiny square of reclaimed swamp land sandwiched in between Virginia and Maryland.   Like convicted felons, we can’t vote for anyone in Congress.  Like third-world dictatorships, any laws enacted by our city council cannot go into effect unless approved by our unelected overlords in Congress.  When trying to book a hotel or buy a gadget over the Internet, we find we can’t fill out the order form because the District of Columbia, which is not a state, is not listed in the drop-down list of states.   When traveling, we can be denied boarding flights because some TSA agent decided that a D.C. drivers license isn’t a state-issued ID.

So kudos to the Bureau of Industry and Security (“BIS”) for, at last, recognizing that the District of Columbia exists, as it finally did in the recently proposed amendment to the definitions in the Export Administration Regulations.  Currently, section 734.2(b)(8) of the EAR says this:

Export or reexport of items subject to the EAR does not include shipments among any of the states of the United States, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States. These destinations are listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census

Take a look at Schedule C which defines those territories, dependencies and possessions of the United States that are not exports, and you will see Puerto Rico, the Virgin Islands, Guam, American Samoa, Northern Mariana Islands, and the United States Minor Outlying Islands. Conspicuously missing from the list is the District of Columbia.

The proposed amendments add a new section 734.18(a)(3) which says this:

Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the
Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

Now that may be good news for us in the District of Columbia, but it’s bad news for anyone who has ever shipped an item on the Commerce Control List, such as a cattle prod, into the District of Columbia in the past five years. Anyone who did that has violated U.S. export laws because the District of Columbia is not a state and it’s not listed in Schedule C. It’s a foreign destination under current rules. You could go to jail. You could be fined $250,000 for each such export by BIS. You could have your export privileges denied. So, folks, get those voluntary disclosures in before you find a team of ICE agents in your offices carting off all your computers and interrogating all your employees.

Permalink Comments (1)

Bookmark and Share





Jun

9

OFAC Announces Travel Ban to Iran


Posted by at 3:22 pm on June 9, 2015
Category: Iran SanctionsOFAC

Imam Khomeini by Kaymar Adl [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/kamshots/515002010/ [cropped]Okay, yes, the headline is clickbait, but it’s also not too far from the truth. (Unlike typical clickbait — such as “Four Foods You Eat That Are Poisonous: Number 4 Will Really Surprise You” or “Twelve Really Famous Movie Stars With Really Bad Teeth” — which is largely untrue.) The basis for this (slightly) sensationalized headline is something an official from the Office of Foreign Assets Control (“OFAC”) said yesterday at the meeting here in DC of the Association of University Export Control Officers.

During a Q&A period, an audience member posed three scenarios and asked which ones, if any, would require an OFAC license. Scenario 1: a faculty member goes to Tehran to attend an open conference and presents a paper in collaboration with Iranian professors that is intended to be published. Scenario 2: a faculty member goes to Tehran to attend the same open conference and reads an already published paper and answers no questions from the audience. Scenario 3: a faculty member goes to Tehran to attend the conference and does nothing but listen.

Easy, said the OFAC representative. (And the answer will really surprise you.) “All three require a license. Merely attending the conference is the provision of a service in Iran.”

By that logic, of course, all travel to Iran is banned. If you go to Iran to see your relatives, you’re providing a service in Iran to your relatives. If you go to Iran to write a story on contemporary Iranian youth, you’re providing a service to contemporary youth in Iran. If you go to Iran to ski, you’re providing a service to Iranian ski resorts. If you go as a tourist and give a fellow tourist directions, you’re providing a service in Iran to your fellow tourist.

Okay, I’m being somewhat unfair. Not all travel is banned to Iran. If you are a penniless, uneducated vagrant unable to speak, hear or otherwise communicate, you can go to Iran without a license. Bon voyage.

Permalink Comments (4)

Bookmark and Share




« Previous posts | Next posts »