Jun

13

Blame Canada!


Posted by at 9:18 am on June 13, 2014
Category: BIS

Bass Pro Store via http://content.basspro.com/outdoorworld/storeGalleryXML/storegalleries/67_6683939_0.jpg [Fair Use]Gun and sporting equipment retailer Bass Pro agreed to pay to the Bureau of Industry and Security (“BIS”) a $25,000 fine for exporting nine rifle sighting devices classified as ECCN 0A987 to China, Cyprus and Canada.

Wait, did you say Canada? Canada??? As in the 51st state? Surely this must be a mistake. Is that even an export? I thought you could export everything but Justin Bieber to Canada.

Of course, that’s a common misconception, and this case is an object lesson in one of the few things that can’t be exported to Canada. Items covered under ECCN 0A987, such as rifle scopes and sighting devices, have Firearms Convention (FC) as a reason for control and require BIS licenses for exports to all signatories to the Convention, including Canada.

The convention in question is the OAS’s Inter-American Convention Against the Illicit Manufacturing of and Trafficking in Firearms, Ammunition, Explosives, and Other Related Materials. All members of the OAS except Cuba have signed the convention. The United States, mostly as a result of the NRA’s desire to protect the right of Mexican drug lords to own automatic weapons, has signed but not ratified the treaty.

So even though you can ship a rifle scope to France without an export license from BIS, under the OAS Firearms Convention you can’t ship one to Canada without that license.

Permalink Comments Off

Bookmark and Share





Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share





Jun

10

Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports


Posted by at 6:19 pm on June 10, 2014
Category: DDTCPart 122

By Spc. Jeffery Sandstrum via http://usarmy.vo.llnwd.net/e2/-images/2007/11/01/9792/ [Public Domain]Carlos Dominguez and his Madrid-based company Elint SA have been administratively debarred by the Directorate of Defense Trade Controls in connection with his unauthorized re-exports and re-transfers of night vision equipment shipped to him from the United States pursuant to DDTC licenses. The unauthorized re-exports and re-transfers were discovered by so-called Blue Lantern checks conducted by foreign embassy staff at the request of the DDTC to determine the ultimate disposition of items exported from the United States pursuant to DDTC licenses. (Interestingly, the cables requesting the Blue Lantern transfers had been previously disclosed when they were leaked by WikiLeaks.)

As a result of the unfavorable Blue Lantern checks, DDTC first imposed in 2009 a policy of denial on Dominguez and Elint. In 2010, DDTC followed up by sending a directed disclosure demand to Elint and Dominguez. A directed disclosure is a DDTC demand that the recipient investigate its export practices and provide to DDTC a list of all its export violations, a request that Dominguez and Elint not surprisingly ignored. A charging letter followed, also ignored, which led to a finding of default by an administrative law judge and the instant order of debarment.

Although section 127.7 of the ITAR specifies that such administrative debarments are “generally” for a period of three years, the order against Dominguez and Elint mentions no time period and is, presumably, permanent. It is safe to say that DDTC is not amused with Dominguez, and this appears to be in large part because of considerable evidence alleged by DDTC that Dominguez tried to evade the policy of denial by setting up shell companies and acting through third parties.

Interestingly, DDTC claims that it has the authority to issue “directed disclosures” under section 122.5(b) of the ITAR, which is, at best, a rather fanciful construction of that section. That section requires that records “maintained” under section 122.5 must be made available to DDTC, but says nothing about any obligation to create new records at the request of DDTC and then provide them. More interestingly, section 122.5 applies to “persons required to register” under Part 122. That obligation is imposed on persons who engage “in the United States in the business of manufacturing or exporting” defense articles. That, of course, does not cover foreign end users of U.S. exports, so it is not at all clear how DDTC can justify issuing the directed disclosure to Dominguez under section 122.5(b).

Permalink Comments Off

Bookmark and Share





Jun

5

Beat the Fokkers


Posted by at 9:32 pm on June 5, 2014
Category: Criminal PenaltiesIran SanctionsOFAC

Fokker Services Building in Hoofddorp via http://www.fokker.com/sites/default/files/styles/carousel_innovations/public/media/Images/Services/Contact_Fokker_Services_Location_Hoofddorp_637x286.jpg?itok=NYP0cc2k [Fair Use]The Office of Foreign Assets Control (“OFAC”) announced today that a $21 million fine had been extracted from the Dutch company Fokker Services BV in connection with its export of U.S. origin spare aircraft parts from the Netherlands to Iran and Sudan. The re-exports to Iran and Sudan by a Dutch company were prohibited under section 560.205 of the Iran regulations and section 538.507(b) of the Sudan regulations because the aircraft parts were presumably ECCN 9A991, although this fact is not expressly stated.

Half of the $21 million dollars is being paid in connection with a deferred prosecution agreement with the U.S. Attorney for the District of Columbia. This is disturbing because the OFAC announcement makes clear that the exports were voluntarily disclosed by Fokker to OFAC. One of the major incentives for a voluntary disclosure is to avoid criminal prosecution. After the Fokker case, people are certainly going to think twice about making a voluntary disclosure.

Nothing in OFAC’s description of the reasons for the penalty justify turning a voluntary disclosure into a criminal prosecution. OFAC describes the violation as “wilful and reckless” because Fokker knew that these were U.S. origin parts. Note that there is no claim that Fokker knew that its export of these parts from the Netherlands to the embargoed countries was a violation of U.S. law, only that it knew that the parts were U.S. origin. Foreign persons might well not understand that exports of U.S. origin parts from their own country and in compliance with their own laws would be illegal, so OFAC is making an unjustifiable leap from knowledge of the parts’ origin to a “wilful and reckless” violation of law. Another aggravating factor was the absence of a U.S. sanctions compliance program at the Dutch company, again hardly a sound reason for turning a voluntary disclosure into a criminal prosecution.

Permalink Comments (4)

Bookmark and Share





Jun

4

ITAR Registration Puffery: XAND Raises the Bar


Posted by at 6:38 pm on June 4, 2014
Category: Part 122

XAND Date Center via http://www.xand.com/assets/MG_2226_Low-1024x668.jpg [Fair Use]An ongoing feature of this blog has been, for some time, to highlight ITAR registration press releases where companies breathlessly announce their registration under part 122 of the ITAR as if it were equivalent to having been awarded the Nobel Peace Price, an Oscar, and three Michelin stars on the same day when in fact the State Department routinely hands out Part 122 registration to anyone who can figure out how to fill out a short form, write a check for the registration fee and send both to Washington. Once the check clears, a registration is issued by DDTC without so much as even looking at the registrant’s elevator certificates and corporate cafeteria lunch menu.

So when a friend of the blog pointed out a press release headlined “Xand Earns International Traffic in Arms Regulations (ITAR) Compliance from U.S. Department of State,” it was clear that we had a moral obligation to bring to our readers the latest and greatest in marketing department hyperbole.

Xand, the Northeast’s premier provider of cloud, managed services, colocation and disaster recovery announced today the successful completion of all regulatory requirements required to attain International Traffic in Arms Regulations (ITAR) registration and compliance from the U.S. Department of State, a unique distinction among infrastructure service providers.

Okay, so maybe the “regulatory requirements” meant by Xand were filling out the form and sending the check. Well, you might think that until you see what the company’s Chief Security Officer had to say:

We selected data center facilities in Pennsylvania, New York, and Massachusetts to undergo thorough and exhaustive compliance testing to meet the critical standards of the U.S. Department of State. The end result allows Xand to provide clients with unmatched geographic diversity and redundancy options when it comes to housing, storing, and protecting the data and technology infrastructure needed to power the critically important work of the defense industry.

It seems to me that the State Department ought to tell people that it will revoke the registration of anyone who so fundamentally misunderstands the ITAR as to suggest in public that registration is the result of compliance testing and constitutes a certification that the registrant is compliant.

One other interesting point here is to try to figure out why Xand needed registration in the first place. Registration is required for parties that manufacture items on the USML and for those that export goods or technical data on the USML. Frankly, I’m baffled how a domestic cloud and colocation service provider does either of those things even if it has customers that manufacture or export USML items. Anyone have any thoughts on this?

Permalink Comments (4)

Bookmark and Share




« Previous posts | Next posts »