Jun

24

OFAC Fines Bank for Defective Screening Software


Posted by at 11:17 pm on June 24, 2015
Category: OFAC

National Bank of Pakistan Chauburji [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimapia http://wikimapia.org/17730284/NATIONAL-BANK-OF-PAKISTAN-CHAUBURJI[cropped]The Office of Foreign Assets Control (“OFAC”) announced that it had fined the New York branch of the National Bank of Pakistan $28,800 in connection by seven wire transfers made by the Bank in an amount totaling $55,952.14 to an entity on OFAC’s Specially Designated Nationals and Blocked Persons List. The transfers went to Kyrgyz Trans Avia, an airline headquartered in Bishkek, Kyrgyzstan. The transfers were from or to an account denominated “LC Aircompany Kyrgyztransavia.” Although the SDN List contains references to both Kyrgyz Trans Avia and Kyrgyztransavia, the Bank’s screening software failed to identify the match.

OFAC noted that the base amount for the penalty under its guidelines was $64,000. That the error was a software error, meaning that no one at the Bank was aware of the violation, was considered a mitigating factor. But this mitigation still resulted a substantial fine equal to approximately half of the funds transferred and far more than any conceivable profits the bank made on the transfers.

The interesting issue here is whether the Bank has any recourse against the unnamed software provider. The answer is probably no, given that it is quite likely that the software license includes standard language disclaiming any liability for consequential damages arising from any failures or errors by the software. The take-away is this: select your screening software carefully, audit it frequently and do your best to get an indemnification from the provider.

Permalink Comments Off on OFAC Fines Bank for Defective Screening Software

Bookmark and Share





Jun

23

White House Okays Private Ransom Payments to SDNs


Posted by at 9:57 pm on June 23, 2015
Category: OFACSDN List

Iran Hostages by State Department via Flickr https://www.flickr.com/photos/statephotos/14059711278 [Public Domain]A number of press reports today, including this one, indicate that the Obama Administration will announce on Wednesday that it was revising its policies and will no longer threaten to prosecute families that pay ransoms to terrorists in an effort to release their loved ones. The stories that I read appear to believe that paying ransoms is, in general, a violation of federal law. Readers of this blog will, of course, probably know that such payments are illegal only when the persons receiving the ransom are on the Specially Designated Nationals and Blocked Persons List. In many cases of hostage taking in the Mideast, the responsible groups are indeed on the list and so payment to those groups, no matter how well-intentioned would otherwise be illegal.

How exactly this exemption will be accomplished is not made clear in the news reports. This is an interesting question. It hardly seems likely that the White House will direct the Office of Foreign Assets Control to issue a general license for hostage payments by family members. This leads to an even more interesting question. Even if the DoJ, under the new policy, will not prosecute or threaten to prosecute families making such payments, will there still be a chance of administrative penalties imposed by OFAC on families that make ransom payments to SDNs?

This is not an entirely far-fetched question. Remember that OFAC has previously said that payments should not be made to pirates without being certain that the pirates were not on the SDN List, leading, of course, to the logical question as to how that was to be done. Do you make the pirates show you their passports before you drop the money on the ship?

Payments of ransoms are, of course, a thorny policy issue given that such payments undoubtedly encourage further kidnappings. On the other hand, it is hard to ask families to sacrifice their own loved ones on the chance that this will deter future kidnappers and save other people’s husbands, wives, sons and daughters.

Permalink Comments Off on White House Okays Private Ransom Payments to SDNs

Bookmark and Share





Jun

19

The Ostriches and the Kookaburra: A Fable for Our Time


Posted by at 8:38 am on June 19, 2015
Category: BISCriminal Penalties

Ostrich, Wainstalls by James Preston [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/jamespreston/8485895143[cropped]

Two austere ostriches, Osgood and Osbad, who lived near an old gum tree somewhere in the Australian outback, ran a successful business buying cattle prods made by Cow Poke, Inc., located in Kankakee, Illinois, and selling them to cattle farmers in Australia. One day they received an order from the kookaburra who lived in their old gum tree for one of their cattle prods. He even offered cash in advance and said that he would have many other orders in the future.

Osgood looked quizically at the kookaburra and wondered why a kookaburra might need a cattle prod, but decided not to ask. As it was an unusually warm afternoon, he decided to cool off by burying his head in the sand.

Osbad, dreaming of future orders and hoping to buy a bus trip to Perth for a holiday weekend, asked the kookaburra to hand over the money and promised to bring him a cattle prod right after he paid the money, which he did.

“Don’t you wonder,” said the kookaburra, “what on earth I could possibly do with a cattle prod?”

“No!” said Osbad, “I DO NOT!! It’s quite hot and I think I’ll join my mate Osgood and cool off by burying my head in the sand.”

“Actually,” said the kookaburra, “I’m selling them to my customers in Iran,” but by the time he had said the word “Iran,” Osbad’s head was completely covered with sand and he couldn’t hear a word that the kookaburra was saying.

When the Cow Poke Cattle Prods were discovered in Iran, investigators for the Bureau of Industry and Security (“BIS”) traced them back to Osgood and Osbad. The Australians served a provisional arrest warrant on the two ostriches who were subsequently extradited to the United States for trial. Once the jurors heard that Osgood and Osbad buried their heads in the sand, it was all over for poor birds, and they were convicted and sentenced to 6 years in a maximum security prison.

On appeal to the Seventh Circuit, Judge Posner upheld the conviction of Osbad and reversed the conviction of Osgood. He noted

There is no evidence that suspecting he might be [helping the kookaburra sell cattle prods to Iran, Osgood] took active steps to avoid having his suspicions confirmed. Suppose [the kookaburra] had said to him “let me tell you [where the cattle prods are really going],” and he had replied: “I don’t want to know.” That would be ostrich behavior (mythical ostrich behavior—ostriches do not bury their heads in the sand when frightened; if they did, they would asphyxiate themselves). An ostrich instruction should not be given unless there is evidence that the defendant engaged in behavior that could reasonably be interpreted as having been intended to shield him from confirmation of his suspicion that he was involved in criminal activity. [This is exactly what Osbad did, which is why we reverse for Osgood and uphold the conviction for Osbad.]

Osbad remained in maximum security prison, while Osgood was allowed to return to the outback in Australia. On his return, Osgood found a letter from BIS indicating that it had entered a thirty-year export denial order and fined him $250,000 for the sale of the cattle prods to Iran, noting that while ignoring red flags, without more, might save you from jail, it would not save you from the wrath of BIS.

Morale: If you’re going to bury your head in the sand, do it before the kookaburra sings.

The Seventh Circuit opinion in United States v. Macias, which I adapted here, makes clear that simply ignoring red flags is not enough to support the criminal intent necessary for  a conviction. The failure to engage in further due diligence in the face of red flags is not, in Judge Posner’s view, sufficient. Instead, there must be some “active avoidance” of learning the facts that the red flags suggest may be probable.  Another example of active avoidance given in the opinion involves a hypothetical situation where a landlord, fearing he has rented his property to drug dealers, changes his normal commuting route to avoid driving by the house, fearing he might see drug activity if he did.  The “active” in the “avoidance” here is changing the route.

A fuller and more serious discussion of United States v. Macias, written by my colleague Mark Srere and me, can be found here.

[Apologies to James Thurber.]

Permalink Comments (1)

Bookmark and Share





Jun

17

How To Go To Jail Right Now: A Gothamist Primer


Posted by at 9:55 pm on June 17, 2015
Category: Cuba SanctionsOFAC

Cuba - Havana - Car by Didier Baertschiger [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/didierbaertschiger/11785935544[cropped]

Popular local website group Gothamist (which is also responsible for DCist, LAist, Chicagoist, and others) ran on its websites today the intriguingly titled: “How To Go To Cuba Right Now: A Travel Primer.”  You can guess what I think of that article by my title for this post: “How To Go To Jail Right Now: A Gothamist Primer.”

The Primer is authored by Tod Seelie, who appears to be a talented photographer, who describes his trip to Cuba.  He said he wanted to go to see the old cars, the crumbling buildings and the beaches.  Wondering if it was as “easy as buying a ticket online,” he bought a ticket from a website.  He notes he “checked ‘journalistic activity,’ though my visa ultimately identified me only as a tourist.”  And he was off.

The rest of his story details how to get an AirBNB room, the different currencies for locals and tourists, the drinkability of the water, the cost of cabs, the absence of soap in bathrooms,  the skimpy miniskirts worn by Cuban customs agents, and how hard it was for him to understand Cuban Spanish because they drop their s’s at the end of words. Finally, he noted that on the way back from what appeared to be more a vacation than anything else, the only question he was asked by the CBP agent was “Did you have fun?”

Nowhere in the article does Seelie do anything to rebut the likely assumption by his readers that anybody who wants to bop around Old Havana for a weekend getaway can just book an online ticket, sign on to AirBNB to book a room, stuff a moneybelt with cash and head off for sun and mojitos. As readers of this blog know, but readers of blogs in the Gothamist empire probably won’t know, you can’t just go to Cuba as a tourist. You have to go for one of the permitted reasons set forth in the regulations.

What about Mr. Seelie? Did he break the rules? Well, he has a colorable case that he is a journalist, since the regulations include in the definition in section 515.563 “a freelance journalist with a record of previous journalistic experience working on a freelance journalistic project.” Mr. Seelie’s bio suggests he’s published some pictures in some newspapers so we’ll give him this. But, but, but, there’s this in the rules:

The traveler’s schedule of activities does not include free time or recreation in excess of that consistent with a full-time schedule.

You be the judge whether Mr. Seelie was in Cuba for full-time journalism and incidental fun or full-time fun and incidental journalism.

UPDATE:  The article in Gothamist was written by Lauren Evans; Mr. Seelie accompanied her to Cuba to take photographs.  Although Ms. Evans clearly fits, in my view, the definition of a journalist under section 515.563, she still leaves the impression that anyone can hop on a plane and go to Cuba, which, of course, is dead wrong and can lead to an unpleasant encounter with OFAC.  And the question still remains whether she, in addition to Mr. Seelie, was there for full time journalism and incidental fun or full-time fun and incidental journalism.

Permalink Comments (1)

Bookmark and Share





Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons


Posted by at 9:16 pm on June 16, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAfter the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updater overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink Comments Off on BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons

Bookmark and Share




« Previous posts | Next posts »