ExportLawBlog

Archive for the ‘BIS’ Category

Dec

4

We’re from BIS and We’re Here to Help You

Posted by Clif Burns at 8:21 am on December 4, 2015

Category: BIS

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPG In a laudable effort to increase transparency of its operations and processes, the Bureau of Industry and Security (“BIS”) has launched an initiative to release statistics and data on at least part of its operations. The new “data portal” can be found here. And although it’s clearly a work in progress, there are still some interesting factoids that can be gleaned from the “2014 Statistical Analysis of BIS Licensing” that appears there.

First, export control reform did not create a licensepocalypse. Many ill-mannered cynics (though not me, in this case) speculated that the onslaught of license applications for new 600 series items transferred from the USML would overwhelm BIS staff and result in a license tar pit from which fossilized approvals would emerge centuries, if not eons, later. The new figures however show a steady decrease in licensing times. Since 2010 average license processing times have decreased from 31 to 23 days even though the number of applications processed each year has increased from approximately 22,000 to 31,000. And, not surprisingly, the largest category of applications processed by BIS was the 600-series ECCN 9A610, which covers military aircraft and commodities.

Second, BIS grants the overwhelming majority of licenses that it processes. Of the approximately 31,000 applications processed in 2014, only 321 were denied with the remainder being returned without action or approved. The top items that were denied were, in this order, rifle scopes, encryption software, and EAR99 items. Although I understand rifle scopes and EAR99 items (for which licenses are required only when exported to bad people or for bad uses) being on this list, I am a bit baffled as to why licenses for 5D002 software receives so many denials. It’s not like there’s any real reason to control encryption software given that the U.S. (despite some self-delusions in this regard) does not have a monopoly on secure encryption technology.

Finally, I have just one little wish for the data portal. It would be tremendous if BIS would provide similar data on classification requests, particularly processing times. The classification process is just as important as, and in some instances even more important than, the licensing process. And I suspect that the processing time figures do not look quite as rosy as they do for licensing.

Permalink

Comments (1)

Nov

19

BIS Imposes Controls on High-Tech Cloaking Material

Posted by Clif Burns at 7:57 pm on November 19, 2015

Category: BIS

XBS Epoxy System Demo via http://www.spacephotonics.com/Coating_Glob-top_Cavity_Fill_X-Ray_Blocking_Anti-Tamper_Material.php [Fair Use] On Monday, BIS announced in an “interim final” rule (a top contender for the best oxymoronic regulatory phrase ever) imposing export controls on Harry Potter’s invisibility cloak as well as onÂ tarnhelms, the predecessor technology to the invisibility cloak. Â Actually, the control, which was effective immediately upon publication, was placed on a high-tech equivalent of those two items, namely, XBS epoxy systems.

The website of Space Photonics, which is the apparent developer of this technology, explains the technology. Â According to that website, XBS epoxy systems are

proven effective in obfuscation of critical technology components against X-Ray and Terahertz Microscopy imaging attempts â€¦ developed to conceal critical components from adversaries.

The picture on the left is a visual demonstration of the technology.

One interesting issue of an immediately effective “interim final” rule is a simple commercial issue. Suppose one of the systems was in transit on the date of publication. If it crossed the U.S. border after the rule was published, did the exporter violate the law? The rule has no grandfathering or savings provision, so the apparent answer would be that the exporter did violate the law and could be subject to civil penalties. It seems doubtful that BIS would fine someone in that situation, but it’s hard to see why the immediately effective rule did not address this issue rather than throw any such exporters on the presumed mercy of BIS.

Because it is an “interim not-yet-final but almost and pretty much but not quite final rule,” BIS will permit comments on the rule until January 15, 2016, after which BIS will presumably issue the “final and we really mean final this time final” rule.

Permalink

Comments Off

Nov

6

I’m from the Government and I’m Here to Fine You (Twice)

Posted by Clif Burns at 12:25 am on November 6, 2015

PPI via https://m.facebook.com/ProductionProducts/photos/pb.207851795988965.-2207520000.1438832505./368040763303400/?type=1&source=54 [Fair Use]

Back in August, we detailed the sad story of Production Products, Â a small family-run business in Maryland that sent OFAC into a tizzy and received a $78,5000 fine because, heaven forfend, the company had never heard of the SDN list and sent HVAC duct manufacturing worth $500,000 to an SDN in China, which equipment is now probably being used to make bombs and missiles and stuff. We took the occasion to suggest that, rather than pitch a fit, OFAC should engage in a bit of reflection and wonder why a small mom-and-pop company in Maryland might never have heard of its SDN list.

Well, Production Products’s woes were scarcely over because BIS, equally annoyed that Production Products doesn’t have someone read the Federal Register cover-to-cover every day, has decided it ought to pile on with its own $50,000 fine for the same violation, as well punishing the company with aÂ year in detention or the equivalent, namely requiring three officials to attend export school and report back to BIS Special Agents with “attendance certificates.”

BIS gets to attend this punching party as a result of section 744.8 of the Export Administration Regulations which makes it a violation of the EAR to deal with any SDN that is listed “with the bracketed suffix [NPWMD].” And that was the case here. The Chinese company on the list has the “bracketed suffix [NPWMD]” which means (for those of you who don’t speak the Low Middle Inflected Dialect of the Exportish language) that they were put on the list for reasons having to do with their involvement in nuclear proliferation and/or weapons of mass destruction.

Like OFAC, BIS was miffed that Precision Products had never heard of the SDN and, as a result, imposed a fine and the requirement that the miscreants take course at Export School and bring back proof of attendance. But, also as was the case with OFAC, this was less an opportunity for BIS to get lathered up than it was an opportunity for self-reflection. What has BIS done to make sure that small businesses know about its arcane and complex regulations?

Permalink

Comments (3)

Oct

29

Free Food and Drink

Posted by Clif Burns at 11:56 pm on October 29, 2015

Category: BIS

Update 2015

If you are attending BIS Update 2015 and would like to get together for some free food and drink, please drop me an email at [email protected]. I have some invitations for a reception being held at Bryan Cave on the evening of November 3 which I can send to you. I’ll be there but, more importantly, so will be things to eat and drink.

Permalink

Comments (1)

Oct

19

Beijing’s Review of U.S. Software Risks Export Woes for Those Who Allow It

Posted by Clif Burns at 10:43 pm on October 19, 2015

Category: BIS • China • Encryption

140515-D-VO565-003 by Chief of Joint Chiefs of Staff via Flickr https://flic.kr/p/nkMLsf [Public Domain - Work of U.S. Government]

An article that appeared last Friday in the Wall Street Journal suggests that at least one U.S. company is providing the Chinese government with access to proprietary U.S. source code as a condition for access to the Chinese market. What could possibly go wrong with that??

Just as a burglar, who normallyÂ suspects everyone else of having his own larcenous motives, puts extra bars on his own doors and windows, the Chinese seem to be worried that U.S. software might have backdoors that allow the U.S. to hack into Chinese systems. Imagine that.

IBM has begun allowing officials from Chinaâ€™s Ministry of Industry and Information Technology to examine proprietary source codeâ€”the secret sauce behind its softwareâ€”in a controlled space without the ability to remove it from the room, the people said. It wasnâ€™t clear which products IBM was allowing reviews of or how much time ministry officials can spend looking at the code. The people said the practice was new and implemented recently.

The Wall Street Journal suggests that this access, which is designed to quell Chinese fears that the U.S. will do unto China what China has done unto the U.S., is largely symbolic because the Chinese are not being given sufficient time to comb through thousands of line of code looking for back doors.

The problem here, however, is that most software programs these days, particularly ones that might have “back door” entry concerns, will have encryption; and the EAR poses special restrictions on exporting certain types of encryption source code to certainÂ government end-users. Encryption source code that is classified as ECCN 5D002 (i.e., is not mass market) and is not publicly available is classified under section 740.17(b)(2)(i)(B) of license exception ENC. Under paragraphs (1) and (2) of the Note to 740.17(b)(2), such encryption source code can, after a classification request, be immediatelyÂ exported under license exception ENC to any end-user (including a government end-user) in a Supplement 3 country and to non-government end-users in countries, such as China, which are not a Supplement 3 country. However, exports of 5D002 encryption source code that is not publicly available, i.e., that is not available by download or otherwise to members of the public, can only be exported to a government end-user outside Supplement 3, such asÂ the Chinese government,Â with a license from the Bureau of Industry and Security. Â (A very good chart explaining the baroque complexities ofÂ Â license exception ENC Â can be found here.)

Now, here’s the catch. Most encryption algorithms are publicly available, but the code used by specific software to implement that algorithm is not. Indeed, if that code were publicly available, the Chinese wouldn’t need to review it, and the reviewing company would not insist that the code be examined in a “controlled space.” Indeed, you have to imagine that it is precisely the non-public code implementing the public algorithm which would be of most interest to Chinese reviewers concerned about U.S. software having back doors for Uncle Sam to come snooping.

Let me be clear: I’m not saying that IBM has broken any laws here. We don’t know whether the software being examined is 5D002 softwareÂ or, if it is, that IBM hasn’t applied for and received a license. Rather my point is this: companies that consider giving source code access to the Chinese should only move ahead with a great deal of caution if the software utilizes encryption.

Permalink

Comments Off