May

12

Maybe Carbon Paper Wasn’t Such a Bad Thing After All

Posted by at 11:40 am on May 12, 2010
Category: Deemed Exports

Hidden Export RiskAnother day; another export compliance nightmare. First it was cloud computing and now it is . . . copy machines. Seriously.

An alert reader pointed me to this CBS News story about hard drives found in almost all copy machines built after 2002. They store images of the last 20,000 or more things copied on the machines to which they are attached. Your resumé. Your tax return if you copied it at work before you sent it. The photocopy you hilariously made at the office Christmas party of, well, you know who you are and you know what I mean.

It also includes any export-controlled technical data copied on the machine. And since you probably lease that machine, your vendor comes in periodically to replace the machine, whisking away the old one, and its hard drive, and sending them to destinations unknown. Have you worked up a cold sweat yet?

The CBS reporters downloaded copies of hard drives from used copy machines Each copier was bought for $300 each. They found confidential patient medical records, details of an on-going drug investigation by the Buffalo police, and pay stubs with names, addresses and, yes, social security numbers. And I’m sure that export-controlled technical data wouldn’t be hard to find either. At the facility where CBS bought the used copy machines, two containers of used copy machines were being packed for export to Singapore and Argentina. Was your copy machine in that batch?

As soon as you finishing reading this, you probably want to take steps to make sure that copy-machine hard drives are scrubbed before the machines leave your facility and that, in the future, all export-controlled technical data or technology is only copied on secure machines that implement a factory option to erase each image from the hard drive after the copy is made.

Permalink

Bookmark and Share

Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

4 Comments:

Clif

This has long been an issue in the classified world. Some companies have a handle on it for export compliance too, but not the majority.

Regards

David

Comment by David on May 12th, 2010 @ 11:54 am

Clif

At the risk of ruining the day for more folks; many of these machines also link back to the supplying company or manufacturer for online support. Where and by whom that support is actually provided is another interesting (for which, read frightening) thought.

Regards

David

Comment by David on May 12th, 2010 @ 12:02 pm

This brings up another aspect of “intent”. While failure to take reasonable safeguards against an unintended release of confidential information may suffice to defeat a claim of trade secrets under the Uniform Trade Secrets Act or the Restatement of Torts, even for a per se civil violation of the EAR or ITAR, the government must still prove an intent to export, though not an intent to violate the regulations as required for a criminal violation. The exporters in the hypothetical are not the former customers, but the leasors who sell their old equipment to a foreign party. Those are the folks with whom OEE and ICE ought to have a heart to heart about this.

Copying machine customers ought to be far more concerned about the IP and privacy aspects of this issue than exports.

Comment by Hillbilly on May 13th, 2010 @ 11:10 am

Clif,

Once readers have convinced themselves that they now need to scrub their drives the next question is how?

Inside my own company there are two groups that have different views on what is enough. One group authorises scrubbing software. The other group says this is not enough and that if someone was determined enough they could still get at the data. (Maybe easier to break in steal it!)

This group requires us to destroy the drives via a high temperature hard disk drive shredder or in a furnace.

Comment by Nujje Gygges on May 17th, 2010 @ 11:25 pm