ExportLawBlog » Clif Burns

Author Archive

May

14

On the Internet, Nobody Knows You’re a Syrian

Posted by Clif Burns at 7:59 pm on May 14, 2013

Category: OFAC • Syria

SEA Banner http://sea.sy/uploaded_files/images/71.jpg [Fair Use] According to this report, Network Solutions in April seized over 700 domain names relating to Syria. Among these were sites used by the Syrian Electronic Army, a pro-Assad hacker group that has achieved some notoriety for taking over the AP’s Twitter account and pushing out a false tweet about alleged explosions at the White House. They also hacked The Onion’s Twitter account which led to this memorable story and headline on the satire site: “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Death At Hands of Rebels.” All of the domains now show the owner as “OFAC Holding.” A complete list can be found here.

Frequent readers of this blog will no doubt be aware that OFAC has issued a series of general licenses permitting provision in sanctioned countries of services incident to personal communications over the Internet. However, General License No. 5 for Syria explicitly excludesÂ from the General License “domain name registration services.”

Of course, shutting down the sites now does not negate the violation that occurred in providing these web hosting services to Syria in the first place. And a large part of the problem here is that domain services are normally provided without any human involvement. A registrant fills out a web form, hands over a credit card number to pay for the annual fee, and a computer program takes care of the rest. Add to that, as the famous New Yorker cartoon caption suggests, “on the Internet, nobody knows you’re a dog.” It is simply not clear how Network Solutions could screen out every registration from an embargoed country. Instead, it seems the best an Internet registrar can do is shut down the domain names once it learns of the problem.

The big questions, then, Â are this: does Network Solutions have a voluntary disclosure pending at OFAC on this and what will OFAC’s response be?

Permalink

Comments Off

May

10

DDTC Slams Stable Door After The Horses Have Bolted

Posted by Clif Burns at 1:02 am on May 10, 2013

Liberator Hand Gun http://defdist.tumblr.com/ [By Permission of Defense Distributed] Unless you have been vacationing on the dark side of the moon today, you probably have seen that the Directorate of Defense Trade Controls (“DDTC”) told Defense Distributed to take down the plans that it had posted for producing a crappy plastic handgun using an expensive 3-D printer. You can read the letter by clicking this link.

Not surprisingly, DDTC takes the position that these plans are technical data relating to an article in Category I of the USML and that putting the plans on the Internet is an export of that technical data. Of course, whether these plans are technical data may not be entirely clear given the public domain exception to the definition of technical data. Detailed gun schematics are available in numerousÂ widely available publications and all over the Internet. A Google search, for example, quickly brings up these schematics.

But leaving aside whether or not these plans are controlled technical data that cannot be put on the Internet without a DDTC license, this whole brouhaha seems to be a waste of time by DDTC. Real guns that won’t blow up in your hand, can fire multiple shots before falling apart, and which can be much more cheaply manufactured are readily available outside the United States, so the danger posed by exporting these plans is, well, non-existent. Foreign militaries aren’t very likely to abandon their AK47s now that they can print their own plastic handguns.Â Worse yet, the plans had apparently been downloaded more than a 100,000 times before the Feds dropped the ban hammer. There is no way that DDTC can now stuff all that toothpaste back in the tube.

Finally, the DDTC letter seems to concede some uncertainty about whether the plans are technical data. Instead of simply demanding the removal of the plans and threatening enforcement action, the letter requests that Defense Distributed file a commodity jurisdiction request to “resolve” the “proper jurisdiction” of the technical data “officially.” So, stay tuned, this affair is far from over.

(The picture of the plastic gun parts from the Defense Distributed site that illustrates this post has been pixelated for your protection.)

Permalink

Comments (1)

May

8

Man Charged with Attempted Import of Traffic Lights

Posted by Clif Burns at 10:51 pm on May 8, 2013

Category: Criminal Penalties • OFAC • WMD Sanctions

LED Traffic Lights http://commons.wikimedia.org/wiki/File:Led_traffic_lights.jpg [Public Domain] A federal district court in Chicago recently unsealed a criminal complaint against an Illinois man for importing an oil pump and attempting to import some LED traffic lights from Taiwan to the United States.

The reason that these activities are alleged to be illegal is that the lights and the pump were imported from a company that had been designated by the Office of Foreign Assets Control (“OFAC”) as a Specially Designated National (“SDN”). Any transaction with an SDN, whether an import or an export, is prohibited.

As background, the indicted man, Gary Tsai is the son of Alex Tsai, a resident of Taiwan. Â The father Alex Tsai was designated along with companies he controlled by OFAC on January 16, 2009, after he had been convicted in a Taiwanese court for sales of machinery to North Korea. Although the complaint details a number of exports by Gary Tsai to Alex Tsai and his designated companies prior to their designation by OFAC, these are not, and obviously cannot be, alleged to be illegal. Instead, I suppose, all the pre-designation transactions are provided for a bit of color. Who says prosecutors don’t like to have fun?

Most interesting, however, is that the imports in question are not just charged, as one would predict, as violations of the International Emergency Economic Powers Act, 50 U.S.C. Â§ 1701 et seq., but also under 18 U.S.C. Â§ 371 as a conspiracy to defraud the United States by obstructing enforcement of laws relating to the proliferation of weapons of mass destruction. That section is more widely known for its prohibition on conspiracies to commit any offense against the United States, but it also prohibits conspiracies “to defraud the United States.”

The statute in question was originally enacted in 1867 and appended to â€œAn Act to amend existing Laws relating to Internal Revenue and for other Purposes.â€ Originally conceived as a revenue protection measure, the “defraud” prong of 18 U.S.C. Â§ 371 has typically been employed in tax evasion cases.

In Haas v. Henkel, 216 U.S. 462 (1910), the Supreme Court expanded the scope of the provision and held

it is not essential that such a conspiracy shall contemplate a financial loss or that one shall result. The statute is broad enough in its terms to include any conspiracy for the purpose of impairing, obstructing, or defeating the lawful function of any department of government.

Of course, that formulation alone is overly broad and would criminalize any concerted action that somehow or other made the federal government’s activities more difficult. As the Ninth Circuit said in United States v. Caldwell, 989 F.2d 1056 (9th Cir. 1993), such a reading would make it illegal to agree not sell land to the government and force it to use eminent domain instead. In that regard, the Supreme Court in Hammerschmidt v. United States, 265 U.S. 182 (1924) said that the obstruction must occur through “deceit, craft or trickery.”

It is not at all clear from the criminal complaint what “deceit, craft or trickery” was used by Gary Tsai in importing the items in question from his SDN father. The best I can tell is that the government somehow thinks that because Gary Tsai and his father used Gmail accounts that did not contain their real names, this was some kind of trickery. It is hard to believe that any court will find some duty to use real names only for email addresses.

Permalink

Comments (1)

May

3

Do As I Say Not As I . . . etc. etc.

Posted by Clif Burns at 2:15 pm on May 3, 2013

Category: China • DDTC • Deemed Exports

Credit: China Great Wall Industry Corporation http://cn.cgwic.com/APSTAR-7/photo.html [Fair Use]

ABOVE: Apstar-7 launch in China

Picture this scenario: a U.S. defense contractor leases time on a Chinese satellite and uses the transponders of that satellite to beam ITAR-controlled technical data between and among its facilities in the United States. The Directorate of Defense Trade Controls (“DDTC”) which licenses exports of ITAR-controlled technical data by U.S. exporters and which has imposed an absolute ban on transferring such data to China would, pardon the metaphor, go ballistic. The defense contractor would be investigated, fined millions of dollars, forced to conduct public self-shaming sessions (i.e. compulsory self audits) and either debarred or threatened with debarment. The zombie apocalypse would seem a Sunday afternoon outing in the park compared to the terror that the agency would rain down on the guilty exporter.

Now, suppose that the U.S. defense contractor in this story is not a private contractor but instead . . . (are you sitting down?) . . . is the Pentagon. What has DDTC to say about this catastrophic breach of national security? Let’s listen: (Crickets chirping . . . crickets chirping . . .) Speak up, over there, Foggy Bottom. I can’t hear you. What? Nothing? Not a peep?

And, no, this is not merely a hypothetical. It is a fact.

Doug Loverro, deputy assistant secretary of defense for space policy, testified at an April 25 hearing of the House Armed Services strategic forces subcommittee that when he assumed his duties a month ago, he learned of DOD leases with a Chinese satellite service provider that were issued early last year following a joint urgent operational needs statement in support of “warfighter needs.”

“The warfighter needed [satellite communication] support in his area of operations. He went to the Defense Information Systems Agency to request that support,” Loverro said.

Loverro said DISA responded to the request by reaching out to its pool of providers. Only one of those providers, a company based in China, had the bandwidth available to meet the communications needs. â€¦

“From that perspective, I’m very pleased with what we did,” Loverro said. â€¦

According to Wired, the satellite in question is the Apstar-7, launched in China and operated by APT Satellite Holdings Ltd., which is owned by the PRC.

The point of raising this is not just to show the double standard the government exercises with respect to defense-related information but also to find some support for a potential problem that has been bedeviling exporters and (to a lesser extent) the export licensing agencies themselves — namely, the issue of the interaction between export law, controlled technology, the “cloud” and the use of the Internet and email forÂ information transfer. Everyone pretty much agrees that if controlled technical data so much as traverses a foreign internet server for a nanosecond — even if the information originated in the United States and is being sent to another user in the United States Â — there has been an unlicensed export of that data. And yet, no one who puts information in the cloud, or sends it by email, or otherwise transfers the data using the Internet can be certain of the path the information will take and that it won’t pay an infinitesimally brief visit to a server outside the United States. Does this mean that everyone with controlled data has foresworn the Internet, keeps all controlled data on paper locked in file cabinets and uses the good offices of the United States Snail Mail service to send it about? Of course not.

Instead, it appears that those who have thought about the vagaries of Internet routing and cloud storage have adopted, at least as a best practice and perhaps as a mitigating factor, the use of encryption on controlled technical data being sent by email or stored in the cloud even where this is intended to be a solely domestic transaction. Of course, there is nothing in the ITAR or the EAR that endorses this and, technically speaking, the export of encrypted technical data is still the export of technical data.

Now in that light, consider this nugget from Lovero’s testimony:

Based on his review of the leases, Loverro said, the agency followed all of the current procedures and operational commanders were aware of the safety and business concerns connected with such an agreement. Those commanders, he said, are equipped with the necessary encryption to protect the information being relayed.

File that testimony away, folks, because you may need it. In short, the DoD is endorsing the notion that encryption effectively prevents the transfer of controlled technical data to the Chinese even when it passes through their hands. I’m certainly not guaranteeing that this is a “Get Out Of Jail Free” card, but it might some day be all you have.

Permalink

Comments Off

May

2

Snooping on the Snoopers

Posted by Clif Burns at 6:02 pm on May 2, 2013

Category: BIS • Syria

By DSOA (Own work) [CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ADubaiSiliconOasisHeadQuarters-exterior2.JPG

ABOVE: Computerlinks FZCO
HQ, DSO Building, Dubai

The Dubai subsidiary of Munich-based Computerlinks recently agreed to pay $2.8 million dollars to the Bureau of Industry and Security (“BIS”) to settle charges that the Dubai subsidiary exported sophisticated Internet surveillance software to Syria without the required licenses. BIS had previously placed one individual and one company in the U.A.E. on the entity list in connection with the unlicensed export of these Internet devices to Syria

The charging documents are unusually detailed and reveal what appears to have been a systematic effort by the Dubai subsidiary to lie to Blue Coat, the manufacturer of the devices, about the ultimate destination of the equipment. One of the exports at issue was described as follows:

On or about October 29,2010, Computerlinks FZCO placed an order with Blue Coat for eight devices used to monitor and control web traffic along with accompanying equipment and software. Computerlinks FZCO falsely stated that the items were intended for the Iraq Ministry of Telecom, concealing the fact that the items actually were destined for Syria. Upon receiving the order, Blue Coat reexported the items from its facility in the Netherlands to Computerlinks FZCO in the U.A.E. On or about December 15, 2010, Computerlinks FZCO directed the items’ transfer within the U.A.E. for their subsequent shipment to Syria for use by the state-run Syrian Telecommunications Establishment (STE).

This is one of the highest fines BIS has ever imposed, ranking, by my count, only behind the $15 million imposed on Balli Aviation and related companies in 2010. This is due, in part, to the fact that this violation was not voluntarily disclosed. In fact, judging from the gleeful and somewhat self-serving press release from Blue Coat commending BIS for whacking Computerlinks, it is reasonable to assume that Blue Coat discovered the diversion and dropped the dime on Computerlinks.

No doubt Blue Coat discovered the diversion because the devices that Syria used to snoop on its citizens were probably also snooping on Syria at the same time. And you have to be more than a little surprised that the people at the Dubai subsidiary of Computerlinks were too stupid to realize that this would happen.

Permalink

Comments (1)