ExportLawBlog

Archive for the ‘BIS’ Category

Jan

9

Be Careful What You Post on Facebook

Posted by Clif Burns at 6:58 pm on January 9, 2014

Pouya Airlines IL 76 at Antalya Airport via https://www.facebook.com/media/set/?set=a.546519808709147.135602.240207326007065&type=1 [Fair Use] We’ve all heard the story of exuberant youngsters who find their career hopes dashed because they posted on Facebook pictures of themselves half-clothed and glassy-eyed with a margarita in one hand and a bong in the other. It’s a cautionary tale, for sure, and has certainly meant that many people have realized that they perhaps should confine pictures of their latest bacchanalian orgy to a more discrete mode of distribution among friends than Facebook. If you wouldn’t send it to your grandmother, don’t post it on your Facebook page, right?

So, you’re wondering, what does this have to do with export law? Well, believe it or not, it relates to a possible explanation of a recent temporary denial order issued by the Bureau of Industry and Security (“BIS”) on January 3 against 3K Aviation and others related to the planned export on January 7 of U.S.-origin aircraft engines by 3K from Turkey to Iran via the Iranian cargo carrier Pouya Airline. Many people have expressed surprise that a TDO would be issued that forbade all export related activity by 3K rather than an order forbidding the export of the engines at issue given that the order was issued before the export at issue had even taken place. Typically, as in the Mahan Air case, the TDO is issued after the forbidden export has occurred and prohibits all export-related activity during the effective period of the TDO.

On 3K’s Facebook page, you can (still) find a photo gallery titled “IL 76 Engine Loading” and dated December 27. 2012, long before the TDO. The IL 76 is the Ilyushin cargo aircraft operated by Pouya Airlines. Here is a screen capture of the Facebook page showing the Pouya IL 76 sitting at the Antalya Airport in Turkey. And here is a screen capture from the page of the happy pilots in the IL 76 about to carry their engines back to Iran. (You can easily find images of the IL 76 cockpit on-line if you want to verify that this is an IL 76 cockpit.) In other words, the planned January 7 shipment of U.S aircraft engines to Iran was possibly not the first time that 3K had exported U.S. items to Iran.

For its part, 3K is saying that it’s now planning to ship the engines back to the seller in Germany. Of course, under the denial order they can’t export the engines back to Germany without BIS authorization. And here’s a Catch-22: under the TDO they can’t even store the engines without violating the order. Â Whatever 3K does, it will violate the order.

Permalink

Comments Off

Dec

18

Name That Country!

Posted by Clif Burns at 6:31 pm on December 18, 2013

Category: BIS • DoJ • Sanctions • Syria

Dell HQ http://www.dell.com/downloads/global/corporate/imagebank/hq/hq_rr1.jpg [Fair Use] The Securities and Exchange Commission just released on Monday, according to this article, correspondence that it had with Dell regarding an on-goingÂ investigation by Dell, the DOJ, and the Bureau of Industry and Security (“BIS”) regarding sales of Dell computers to Syria. Â These sales were made by a Dell distributor based in the U.A.E. In that correspondence, Dell indicated that it was conducting an internal investigation with outside counsel into sales by one of its Dubai-based distributors, was regularly communicating with the U.S. Attorney regarding that investigation, and had responded to a BIS subpoena requesting information about the sales in question. The company said that the investigation was not yet complete so that the company could not yet respond to the SEC’s questions as to whether Dell had any liability under U.S. export and sanctions law arising from the distributor’s sales to Syria.

The company, however, did try to suggest that it might not be liable because of a clause it cited in its distribution agreement:

Distributor acknowledges that Products licensed or sold hereunder or in respect of which services (including Dell Branded Services) are provided, which may include software, technical data and technology, are subject to the export control laws and regulations of the USA, the European Union, the Territory in which Distributor operates and the territory from which they were supplied, and that Distributor will abide by such laws and regulations. Distributor confirms that it will not export, re-export or trans-ship the Products, directly or indirectly, â€¦ to â€¦ any countries that are subject to the USAâ€™s or those other relevant territoriesâ€™ export restrictions or any national thereof â€¦ .

To paraphrase someone else, I guess you go to war with the language you have — that is to say, this language is hardly ideal. It relies on the distributor to know what countries are subject to U.S. export restrictions. Do you really think that a distributor in the U.A.E. is aware of the details of U.S. sanctions programs or even which countries are on the current U.S. bad country list? Probably not.

I certainly do not mean to imply that Dell has criminal or civil liability because of this drafting issue. Rather, my point only is that companies should be explicit in these clauses about which countries are subject to sanctions and to affirmatively advise distributors in writing when those countries change. Don’t count on your distributor to know who the U.S. has sanctioned anymore than you would count on him to know the name of last year’s winner of American Idol.

Permalink

Comments (2)

Dec

10

More Details Emerge on Multilateral Export Controls on Cybersecurity Items

Posted by Clif Burns at 8:11 pm on December 10, 2013

Category: BIS • Cyber Weapons • Wassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpg Last week we posted on reports that the Wassenaar Plenary was considering adding certain cybersecurity hardware and software products to the list of items that members of the WassenaarÂ Arrangement, which includes the United States, have agreed to subject to export controls. A press release today from Privacy International purports to provide details and operative language for the new controls, the first control to be on certain types of intrusion software and the second on certain types of deep packet inspection (“DPI”). Both of the proposed new controls are somewhat narrower than we first thought might be the case before we saw this language.

The controls on intrusion software originate from a U.K. proposal. It would control software designed to bypass security and detection systems in order to collect data or modify the execution of software on the targeted device:

“Software” specially designed or modified to avoid detection by ‘monitoring tools’, or to defeat ‘protective countermeasures’, of a computer or network capable device, and performing any of the following:
a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or
b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The target seems to be malware and rootkits used by government agencies to spy on its citizens, such as FinFisher software which we previously discussed here. Of course, the language is broad enough to cover exports of most malware and might give governments additional enforcement tools against domestic hackers and distributors of malware. Although I don’t believe that anti-virus software is the intended target, the language might wind up covering such software as well since it is designed to defeat the countermeasures of viruses and malware and to extract data about the malware from a computer or network.

The second new controls will target “IP network surveillance systems.” Specifically, the language, as proposed by France, is narrower than the title suggests and reads as follows:

5. A. 1. j. IP network communications surveillance systems or equipment, and specially designed components therefor, having all of the following:
1. Performing all of the following on a carrier class IP network (e.g., national grade IP backbone):
a. Analysis at the application layer (e.g., Layer 7 of Open Systems Interconnection (OSI) model (ISO/IEC 7498-1));
b. Extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
c. Indexing of extracted data; and
2. Being specially designed to carry out all of the following:
a. Execution of searches on the basis of ‘hard selectors’; and
b. Mapping of the relational network of an individual or of a group of people.

When I previously posted about possible added controls on DPI software and hardware, I noted that the “deep” in DPI could mean many things. This language clarifies that by only covering inspection at OSI Layer 7, the so-called application layer. Moreover, it only captures items that in addition to capturing the traffic contents also index that software and analyze it for relational data among individuals. The biggest ambiguity is what is meant by a “carrier class IP network,” a term likely to be defined differently by the various members of the Wassenaar arrangement.

Permalink

Comments (1)

Dec

4

U.S. and Allies Mull Export Licenses for Network Equipment and Software

Posted by Clif Burns at 6:55 pm on December 4, 2013

Category: BIS • Cyber Weapons • Wassenaar

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Ministry_of_Defence_MOD_45153616.jpg We can only assume that exporters have been very bad this year because they may find a big lump of coal left in their export reform stocking by jolly old St. Nick or, perhaps more accurately, Good King Wassenaar (to continue torturing this extended metaphor.) The jolly old elves who negotiate the Wassenaar Agreement are meeting in Vienna this week, and according to this Financial Times article, they are likely to impose new controls on cybersecurity hardware and software. When the U.S. implements these changes, it means that some network equipment and software that did not previously require licenses will now require them.

The details of the changes are still not fully known. Obviously, many things could be classified as “cybersecurity” software and/or hardware, so the scope of these controls could be significant. The Financial Times article singles out deep packet inspection as one area of cybersecurity likely to be subject to export controls:

Particularly sensitive areas include so-called â€œdeep package inspectionâ€ technologies which allow users to screen data for hidden viruses, malware or surveillance programmes. Western intelligence agencies are particularly concerned about such technologies falling into enemy hands, because they could enable them to foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.

Deep packet inspection is commonly used to refer to network software and hardware that looks beyond the headers of IP packet transiting a network to examine the data payload in the packet. DPI technologies vary in the degree to which the data payload is inspected, particularly given constraints on inline processing as the data streams through the network. Some DPI may look for patterns or signatures indicating viruses or attacks (to block the packet), the type of traffic , e.g., (P2P vs VOIP ( to prioritize the traffic), or even the actual content of unencrypted traffic for censorship or law enforcement purposes. Given that there are varieties of “deep” in Deep Packet Inspection and varieties of purposes to which DPI could be put, a one-size-fits-all license requirement for DPI would certainly seem to be overkill.

But the biggest nightmare will be how these license requirements will seep into the deemed export rules. Any company that employs network engineers (in other words, any company but the Asian Lithuanian Taco and Waffle Truck on the corner) will encounter real difficulties in hiring and managing foreign employees working on their networks. Let’s just hope that these negotiations at Wassenaar fizzle (but I’m not holding my breath).

Permalink

Comments (1)

Nov

7

Naming Names

Posted by Clif Burns at 10:09 pm on November 7, 2013

Category: BIS • DDTC • Deemed Exports • Export Reform

By MediaPhoto.Org (mediaphoto.org Own work) [CC-BY-3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ARussian_passports.jpg The Bureau of Industry and Security has released new guidance on deemed re-exports which is intended to deal with issues arising when a U.S. company exports technology to a foreign company that then re-exports that technology to its own employees which are not of the same nationality as the foreign company receiving the technology export. The purpose of the guidance is to address certain issues raised by the current export control reform effort and, specifically, to deal with re-exports of technology relating to the newly created 600 series of items that have been transferred from the United States Munitions List (“USML”) to the Commerce Control List (“CCL”).

As the guidance notes, one of the overarching principles of the export control effort is that military items moved from the USML to the CCL should not thereby be subjected to more stringent controls than were applicable to the item when it was on the USML. Under the International Traffic in Arms Regulations (the “ITAR”) “technical data” is subject to certain license exemptions permitting technical data, in certain cases, to be transferred without license by foreign companies to their employees who are not of the same nationality as the foreign company. These employees include “third country nationals” who are nationals of countries other than the nationality of the foreign company involved and “dual nationals” which are nationals of two countries, one of which may, but does not necessarily include, the nationality of the foreign company.

The first of these exceptions, found in section 124.16 of the ITAR, Â allows such retransfer from companies in NATO countries, the EU, Australia, Japan, New Zealand and Switzerland to retransfer technologies to third country nationals who are also from such countries and subject to certain further conditions. And the other exception, found in section 126.18, permits intra-company transfers of technical data from the foreign company to employees without regard to the country restrictions of 124.16 but subject to certain other restrictions such as requiring the third country national employees to sign non-disclosure agreements and requiring the company to assure that the third country national doesn’t have “substantive contacts” with countries subject to arms embargoes under section 126.1 of the ITAR.

Nothing in the Export Administration Regulations (the “EAR”) provides equivalent license exceptions to permit the transfer of technology to nationals of NATO countries, the EU, Australia, Japan, New Zealand, and Switzerland without a license as permitted by section 124.16 of the ITAR. Accordingly, the new guidance indicates that it is the policy of BIS to permit transfers of technology relating to series 600 items without a license if the conditions of 124.16 are fulfilled. Also to the extent that section 126.18 of the ITAR permits transfers to third country nationals outside of the EU, Australia, Japan, New Zealand and Switzerland if they sign an NDA and are screened for contacts with embargoed countries, BIS will permit similar transfers of series 600 technology.

The situation with section 126.18 is more complicated because section 126.18 addresses an issue under the ITAR that is not a problem under the EAR, namely the problem of dual nationals born in countries subject to arms embargoes. Section 126.18 was designed to deal with the thorny problem of dual nationals under DDTC which require that a dual national should be treated as a citizen of both countries. Accordingly a naturalized U.K. citizen born in China would still be treated as Chinese, and thus ineligible to receive ITAR-controlled technical data even if he had been awarded the OBE by the Queen because, in DDTC’s eyes, that dual national was irrevocably and permanently tainted with Chinese blood. Although such discrimination would be illegal if applied by DDTC in the United States, DDTC saw no problem with applying this rule in foreign countries even if it would, as it often did, violate the human rights laws of that foreign country to discriminate against someone solely based on place of birth. Under BIS rules, in contrast,
a person is treated as a citizen of the country of his or her most recent nationality. A naturalized UK citizen would be treated simply as a UK citizen without regard to the fact that he or she was born in China and was once Chinese. Thus, strictly speaking, the BIS guidance does not need to implement those parts of 126.18 as they relate to dual nationals.

There is, however, one problem relating to technology re-exports for series 600 items where the transfer from the USML to the EAR will subject the technology to more stringent requirements and which is not addressed by this guidance. Under DDTC’s application procedures, a U.S. exporter seeking authority for a foreign company to transfer technical data to its third country and dual nationals, the U.S. exporter need only list the nationalities of the employees. In other words, the U.S. exporter says, for example, that the technical data will be exported to French, German and Mexican nationals. Under BIS application guidelines, however, the U.S. exporter must give the names, passport numbers and addresses for each employee that will receive the technology re-export. In addition to that, a resume for each individual, showing education, employment history and military service, must be provided for each employee.

Over and above the obvious burden of compiling this information in the first place, the U.S. exporter will be required to obtain amendments or new authorizations each time the foreign transferee hires new employees in the affected program area. Under DDTC’s rules, an amendment is required only if an employee with a nationality not previously approved is hired. Granted this burden can be minimized to some extent through reliance on section 126.18, but this may not be possible where the foreign employer is either unable or unwilling to comply with all of the conditions required by section 126.18, including screening employees for contacts with embargoed countries, maintaining records of this screening, and fulfilling the other requirements of section 126.18.

Permalink

Comments Off