Aug

24

BIS Implements Wassenaar’s Note 4 Amendment: Accentuate the Positive


Posted by at 10:07 am on August 24, 2017
Category: BISEncryption

Maxwell Smart's Shoe Phone [Fair Use]Last week the Bureau of Industry and Security published a final rule implementing the changes adopted by the December 2016 Wassenaar Arrangements Plenary meeting.  Most of these changes are the usual nits and quibbles cooked up to justify a nice government-paid international trip by the delegates.  Like this:

The Heading of 1C608 is amended by adding double quotes around the defined term “energetic materials” …

The most interesting change, however, at least in my view, was the re-working of Note 4, which provides a broad exception to export controls on encryption.   Allegedly, the change wasn’t supposed to change anything, and BIS’s notes to the amendments say just that.   This, of course, would lead ordinary people to wonder why change something you don’t want to change, but, of course, I guess they felt guilty charging their governments for simply re-arranging semicolons, adding quotation marks and correcting spelling errors in the Wassenaar lists.

Part of the problem in the new, improved version is that it’s going to be harder to explain to clients.  Anyone who has spent much time dealing with software engineers on encryption export matters will immediately see the difficulties ahead.   (That means anyone who has had to argue with a software engineer that his program is still covered even though the encryption routines are called from the operating system.)  This post is intended to help you in that process (as well as to make fun of a note added to 5A002 by the amendment).

So, let’s take a quick trip down memory lane and now look at the text of the old Note 4.

Note 4: Category 5—Part 2 does not apply to items incorporating or using ‘‘cryptography’’ and meeting all of the following:
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions. …

Under the new amendments, the idea is “the creation of positive text in 5A002.a to specify the items subject to control.” I bet the entire encryption world was anxiously awaiting that, don’t you? So, to create this, er, “positive text” subsections 1, 2 and 4 have been moved to the text of ECCN 5A002. Subsection 1 becomes 5A002.a.1, subsection 2 becomes a.3 and subsection 4 becomes a.2 as follows:

a. Designed or modified to use ‘cryptography for data confidentiality’ having ‘in excess of 56 bits of symmetric key length, or equivalent’, where that cryptographic capability is usable without ‘‘cryptographic activation’’ or has been activated, as follows:
a.1. Items having ‘‘information security’’ as a primary function;
a.2. Digital communication or networking systems, equipment or components, not specified in paragraph 5A002.a.1;
a.3. Computers, other items having information storage or processing as a primary function, and components therefor, not specified in paragraphs 5A002.a.1 or .a.2

And, if you look closely, you can see that part of 3 was slipped into a.3 when it references items having “information storage” as a primary function. (Operating systems now get caught in 5D002.a.1 which controls software for the use of computers described in 5A002.a.3).

But what about items with the primary purpose of sending and receiving information? In the software context, this meant, for example, email and FTP programs, which were not considered eligible for the Note 4 exemption. You have to assume that is now captured by a.2, which talks not just about networking but also about “digital communication.”

That leaves subsection b on Note 4, which, frankly, never seemed to apply to much of anything. That now becomes a.4:

Items, not specified in paragraphs 5A002.a.1 to a.3, where the ‘cryptography for data confidentiality’ having ‘in excess of 56
bits of symmetric key length, or equivalent’ meets all of the following:
a.4.a. It supports a non-primary function of the item; and
a.4.b. It is performed by incorporated equipment or ‘‘software’’ that would, as a standalone item, be specified by ECCNs 5A002, 5A003, 5A004, 5B002 or 5D002.

Because it’s not clear what exactly such an item would be, the amendment adds a not very helpful note, in the theme of creating “positive text,” to the new 5A002 to give examples of some items that are not 5A002.a.4. Here’s one:

An automobile where the only ‘cryptography for data confidentiality’ ‘in excess of 56 bits of symmetric key length, or equivalent’ is performed by a Category 5—Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3)

Okay, I’m going to say it: what century do the plenary delegates live in? Did they all travel in a time machine from 1980 to Wassenaar? Mobile phones built into cars?

So while we’re engaged in time travel, here’s an example of something that would be caught by 5A002.a.4: Maxwell Smart’s shoe phone. Of course, I’m assuming that like any good phone it incorporates non-standard cryptography. The principal purpose of the shoe is, of course, walking and the cryptography supports its non-primary function of talking. So there.

Permalink Comments (6)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

15

OFAC Repeals, IPSA Facto, Iran General License H.


Posted by at 6:29 pm on August 15, 2017
Category: GeneralIran SanctionsOFAC

IPSA Phoenix Office via Google Maps [Fair Use]
ABOVE: IPSA Phoenix Office

Last Thursday, the Office of Foreign Assets Control (“OFAC”) announced that IPSA International had agreed to pay a fine of  $259,200 to settle charges that it violated the Iranian Transactions and Sanctions Regulations (“ITSR”)  in connection with background investigations conducted on Iranian nationals by IPSA’s foreign subsidiaries.  In order to support the charges against IPSA, OFAC unnecessarily concocted a theory which effectively repeals Iran General License H and substantially increases the risk that U.S. companies will be fined for what had previously thought to be legal activities by foreign subsidiaries involving Iran.

At issue are two contracts entered into by IPSA: one with a foreign government (“Contract #1”) and the other by IPSA’s Canadian subsidiary with a foreign government-owned financial institution (“Contract #2).  Both contracts required background checks on various individuals, some of whom were in Iran.   Those background checks, including the ones in Iran, were conducted not by IPSA but by its Canadian subsidiary and another subsidiary in Dubai.  OFAC concedes that both subsidiaries “managed and performed” the background investigation contracts involving the Iranian nationals.  Significantly, OFAC does not allege or claim that the results of these investigations were ever communicated by either foreign subsidiary to IPSA in the United States.   Nevertheless, OFAC claims the conduct of these investigations in Iran constituted a violation of the ITSR.

In the case of Contract # 2, OFAC alleges that IPSA violated the prohibition against facilitation in section 560.208 of the ITSR when it “reviewed, approved, and initiated the foreign subsidiaries’ payments to providers of the Iranian-origin services.”  That, if true, would make out a fairly clear-cut facilitation violation by IPSA.

Things get problematic, however, in the case of Contract #1. OFAC asserts that in that case  IPSA imported Iranian-origin services into the United States in violation of section 560.201 of the ITSR.  This was not because the results of the background checks were communicated to IPSA in the United States because, as we’ve noted, OFAC has not alleged that occurred.  It was because the background checks in Iran were conducted “for the benefit of” IPSA.

This is a troubling rationale because everything done by foreign-incorporated subsidiary of a U.S is company is “for the benefit” of the parent company in the United States.    Under this benefit theory, General License H, which permits certain activities by foreign subsidiaries, is completely eviscerated.  IPSA’s  signing and entering into the contract performed by the subsidiaries clearly facilitated those activities in violation of section 560.208 of the ITSR, so there was no need to suggest a violation based on a benefit theory.  It is unclear why OFAC would have chosen in the case of Contract #1 to argue importation of services under a benefit theory rather than facilitation unless it intended to create uncertainty about the proper scope of General License H.

 

 

Permalink Comments (2)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

10

Rafa Marquez Shown Red Card By OFAC


Posted by at 1:08 pm on August 10, 2017
Category: Narcotics SanctionsOFACSDN List

By F. Vera | DailyHarrison.com (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)] via Wikimedia Commons https://commons.wikimedia.org/wiki/File%3ARafaelMarquezAlvarez.jpg [cropped and color corrected]
ABOVE: Rafael Márquez Alvarez

Yesterday the Office of Foreign Assets Control (“OFAC”) designated legendary Mexican footballer Rafael Márquez under the Foreign Narcotics Kingpin Sanctions Regulations. According to the press release accompanying the designations Márquez allegedly acted as a front man for, and held assets for, Flores Hernandez and his “drug trafficking organization.”

The press release takes specific note, if not some scarcely concealed glee, that Márquez is a “Mexican professional soccer player.” In fact, Rafa Márquez is not just any professional player. He is arguably the best defender in Mexican history and certainly its most decorated. He currently plays for the Mexican club Atlas and captains the Mexican national soccer team. All of which makes you wonder why on earth he would waste time fronting for a drug kingpin and whether OFAC’s charges that he did so are even credible.  Tom Brady may have deflated a few footballs but it is unimaginable that he would ever go full Walter Heissenberg and involve himself with a methamphetamine distribution network.

Márquez, as you have probably guessed, is vigorously denying these charges.

So by now you’re probably wondering this: where’s the red card that OFAC has shown Márquez? We all know, don’t we, that blocking an employee doesn’t block the organization. The Mexican national team isn’t blocked just because Márquez is on it. When Mexico and the United States play in the 2018 World Cup, the U.S. team won’t get in trouble, will they, if Márquez is playing for Mexico?

Well, that’s not clear. Section 598.406 of the Foreign Narcotics Kingpin Sanctions Regulations prohibits any U.S. person from providing any “services . . . for the benefit of” Márquez. You can’t play soccer without two teams, so the U.S. players are performing a service for Márquez by playing (and not just if they lose). Maybe even Mexico will insist on playing Márquez in that game hoping that the U.S. will have to forfeit the game.

Of course, there’s always the possibility that OFAC will issue a general license — analagous to Iran General License F which permits U.S. athletes to compete in professional sporting events in and with Iran (although even that license carves out blocked persons). Or maybe OFAC will issue a specific license for the World Cup.

Another possibility is that by the time of the World Cup Márquez will have successfully challenged the designation and will have been unblocked. Márquez is unlikely to prevail if his argument before OFAC is that he didn’t have anything to do with Flores. OFAC will no doubt say that it has evidence that he did and that such evidence is classified because disclosing it would reveal intelligence sources and methods. The more fruitful course for Márquez, and the one most often used for getting OFAC to undesignate a party, would be to argue to OFAC (if true) that he no longer has any dealings with Flores and that he will commit not to have any in the future. He might propose a compliance monitor to the agency to back up that promise. And he could promise to use his megastar status to make PSAs and visit schools and engage in other good works.

Another possibility is that Mexico will impose blocking sanctions on Buster Posey, Bryce Harper, and Anthony Rizzo, and promise to lift them only if the sanctions on Rafa are lifted by OFAC. Stay tuned. ¡El miedo no anda en burro!

Photo Credit: By F. Vera | DailyHarrison.com (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)] via Wikimedia Commons https://commons.wikimedia.org/wiki/File%3ARafaelMarquezAlvarez.jpg [cropped and color corrected]. Copyright 2011 F. Vera

Permalink Comments Off on Rafa Marquez Shown Red Card By OFAC

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

9

If A U.S. Attorney Can’t Get Export Law Right, Why Should Anyone Else?


Posted by at 6:14 pm on August 9, 2017
Category: Criminal PenaltiesSyria

Orange Check Cashing via Google Maps [Fair Use]Rasheed Al Jijakli, the owner of Orange Check Cashing in Orange, California, has been indicted for illegal exports of tactical flashlights, rifle scopes, cameras, radios, voltmeters and laser boresighters to Syria. According to the indictment, Jijakli allegedly took the items with him on flights to Turkey, crossed the border from Turkey to Syria and gave the items to rebel groups in Syria. He was arrested on August 1 and released on a $250,000 bond pending trial.

Of course, for the criminal indictment to succeed the U.S. Government must prove that Jijakli knew that supplying these items to persons in Syria was illegal. The indictment alleges that Jijakli told an un-indicted co-conspirator “about a technique he used to smuggle goods into Turkey without being detected by law enforcement.” It also alleges that he asked the same unindicted co-conspirator if he “needed an alias in the event law enforcement questioned [him] about the purchases.” The trial and any conviction may well turn on whether a jury decides the un-indicted co-conspirator is telling the truth about these statements by Jijakli.

But the prosecution’s efforts to prove that Jijakli understood the complexities of export law sufficiently to have criminal intent will be hindered by the prosecution’s own inability to understand the relevant export laws. Paragraph 6 of the indictment says this:

6. With certain limited exceptions not applicable here, U.S. sanctions against Syria prohibited, among other things, the export,
re-export, sale, or supply, directly or indirectly, of U.S.-origin goods from the United States or by a United States person wherever
located, to Syria without prior authorization from the Secretary of the Treasury.

Nope. The Syrian Sanctions Regulations administered by the Office of Foreign Assets Control (“OFAC”) in the Treasury Department do not prohibit the export of goods to Syria. Section 542.207 which regulates exports to Syria only prohibits unlicensed exports of services from the United States or by a U.S. person. The export of goods to Syria is instead controlled by the Export Administration Regulations. Only a license from BIS is required for export of goods to Syria; no license from OFAC or the Secretary of Treasury, as the indictment would have it, is required.

If a prosecutor with a law degree can’t get U.S. export laws right, how can we expect a guy who owns a check cashing place in a strip mall to get it right?

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

2

Touch a U.S. Dollar Anywhere, Go Directly to U.S. Jail


Posted by at 11:58 pm on August 2, 2017
Category: Iran SanctionsOFAC

DSME Drillship via http://cse-transtel.com/wp-content/uploads/2016/06/DSME-Ultra-Deep-Water-Drillship-Project.jpg [Fair Use]Two companies in Singapore, CSE Global and CSE Transtel, agreed to pay the Office of Foreign Assets Control (“OFAC”) $12,027,066 to settle charges that they violated the Iran Transactions and Sanctions Regulations (“ITSR”). The charges arose from CSE Transtel supplying telecommunications goods and services to energy projects in Iran. OFAC did not allege that these goods and services originated in the United States. Rather, OFAC alleged that because the vendors were paid in U.S. Dollars that CSE had caused the export of financial services from U.S. Banks to Iran in violation of section 560.204 of the ITSR.

Now we’ve been through this U.S. dollar business with OFAC before. In the typical case, OFAC’s claim of jurisdiction over the foreign company is based on the fact that the foreign company’s bank and the foreign company’s customer’s bank would have used correspondent accounts denominated in dollars and held in U.S banks to effectuate the transaction. Of course, whether the transfer of dollars between U.S. banks in connection with a foreign company’s sale of goods to Iran is the export of a financial service to Iran is not entirely clear. But at least in this scenario you can see a direct flow of dollars related to a specific Iranian transaction.

But the Singapore situation is different because Singapore is authorized to engage in offshore dollar clearing transactions. And, as the OFAC release admits, the transactions in question were effectuated through U.S. Dollar accounts held in Singapore banks. The way that U.S. Dollar transactions are cleared in Singapore is described here. Suffice it to say, there are cases where U.S. Dollar transactions can be cleared in Singapore under this system without a U.S. bank ever being involved. If, for example, CSE and its vendor had U.S Dollar accounts at the same bank, or were the only dollar transactions between two Singapore banks on a clearing day, the Singapore clearing house would clear the transactions without the need for either bank to make up a dollar deficit as part of the clearing process.

But in the other possible (and more likely) situations where the dollars clear in Singapore but dollar transfers are needed to make up differences between banks, it still can’t be said that the dollar transfers to settle the dollar position of the Singapore bank is the export of a financial service to Iran. Say a bank in Singapore pays $10,000 for a customer’s Iran transaction but during the day pays out $200,000 and receives $100,000 where none of these other dollar transactions have anything to do with Iran. It will need to transfer $100,000 to the Singapore clearing house, which will be effectuated through a U.S. Dollar correspondent account in the United States. In that case the bank in the United States has not transferred any financial service to Iran because the payment relates to an aggregate of transactions valued at $300,000, almost all of which have nothing to do with Iran.

The only scenario in the Singapore clearing situation where the U.S. bank would transfer a financial service to Iran would be where the Iran payment by the Singapore bank is the only U.S. dollar transaction by the Singapore bank during the clearing day. In that case, the transaction looks like a traditional one where the dollar payment is cleared through the U.S. bank. But there is no reason to believe that any or all of the CSE Iran transaction were the only dollar transactions during that clearing day. But that doesn’t stop OFAC from inaccurately claiming that every dollar transaction conducted by CSE through its Singapore accounts caused a transfer of financial services from the United States to Iran.

Permalink Comments Off on Touch a U.S. Dollar Anywhere, Go Directly to U.S. Jail

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts | Next posts »