Archive for the ‘BIS’ Category


Aug

24

BIS Implements Wassenaar’s Note 4 Amendment: Accentuate the Positive


Posted by at 10:07 am on August 24, 2017
Category: BISEncryption

Maxwell Smart's Shoe Phone [Fair Use]Last week the Bureau of Industry and Security published a final rule implementing the changes adopted by the December 2016 Wassenaar Arrangements Plenary meeting.  Most of these changes are the usual nits and quibbles cooked up to justify a nice government-paid international trip by the delegates.  Like this:

The Heading of 1C608 is amended by adding double quotes around the defined term “energetic materials” …

The most interesting change, however, at least in my view, was the re-working of Note 4, which provides a broad exception to export controls on encryption.   Allegedly, the change wasn’t supposed to change anything, and BIS’s notes to the amendments say just that.   This, of course, would lead ordinary people to wonder why change something you don’t want to change, but, of course, I guess they felt guilty charging their governments for simply re-arranging semicolons, adding quotation marks and correcting spelling errors in the Wassenaar lists.

Part of the problem in the new, improved version is that it’s going to be harder to explain to clients.  Anyone who has spent much time dealing with software engineers on encryption export matters will immediately see the difficulties ahead.   (That means anyone who has had to argue with a software engineer that his program is still covered even though the encryption routines are called from the operating system.)  This post is intended to help you in that process (as well as to make fun of a note added to 5A002 by the amendment).

So, let’s take a quick trip down memory lane and now look at the text of the old Note 4.

Note 4: Category 5—Part 2 does not apply to items incorporating or using ‘‘cryptography’’ and meeting all of the following:
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions. …

Under the new amendments, the idea is “the creation of positive text in 5A002.a to specify the items subject to control.” I bet the entire encryption world was anxiously awaiting that, don’t you? So, to create this, er, “positive text” subsections 1, 2 and 4 have been moved to the text of ECCN 5A002. Subsection 1 becomes 5A002.a.1, subsection 2 becomes a.3 and subsection 4 becomes a.2 as follows:

a. Designed or modified to use ‘cryptography for data confidentiality’ having ‘in excess of 56 bits of symmetric key length, or equivalent’, where that cryptographic capability is usable without ‘‘cryptographic activation’’ or has been activated, as follows:
a.1. Items having ‘‘information security’’ as a primary function;
a.2. Digital communication or networking systems, equipment or components, not specified in paragraph 5A002.a.1;
a.3. Computers, other items having information storage or processing as a primary function, and components therefor, not specified in paragraphs 5A002.a.1 or .a.2

And, if you look closely, you can see that part of 3 was slipped into a.3 when it references items having “information storage” as a primary function. (Operating systems now get caught in 5D002.a.1 which controls software for the use of computers described in 5A002.a.3).

But what about items with the primary purpose of sending and receiving information? In the software context, this meant, for example, email and FTP programs, which were not considered eligible for the Note 4 exemption. You have to assume that is now captured by a.2, which talks not just about networking but also about “digital communication.”

That leaves subsection b on Note 4, which, frankly, never seemed to apply to much of anything. That now becomes a.4:

Items, not specified in paragraphs 5A002.a.1 to a.3, where the ‘cryptography for data confidentiality’ having ‘in excess of 56
bits of symmetric key length, or equivalent’ meets all of the following:
a.4.a. It supports a non-primary function of the item; and
a.4.b. It is performed by incorporated equipment or ‘‘software’’ that would, as a standalone item, be specified by ECCNs 5A002, 5A003, 5A004, 5B002 or 5D002.

Because it’s not clear what exactly such an item would be, the amendment adds a not very helpful note, in the theme of creating “positive text,” to the new 5A002 to give examples of some items that are not 5A002.a.4. Here’s one:

An automobile where the only ‘cryptography for data confidentiality’ ‘in excess of 56 bits of symmetric key length, or equivalent’ is performed by a Category 5—Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3)

Okay, I’m going to say it: what century do the plenary delegates live in? Did they all travel in a time machine from 1980 to Wassenaar? Mobile phones built into cars?

So while we’re engaged in time travel, here’s an example of something that would be caught by 5A002.a.4: Maxwell Smart’s shoe phone. Of course, I’m assuming that like any good phone it incorporates non-standard cryptography. The principal purpose of the shoe is, of course, walking and the cryptography supports its non-primary function of talking. So there.

Permalink Comments (6)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

13

You Had Just One Job: BIS Spokesman Dodges Qatar Boycott Question


Posted by at 8:34 am on July 13, 2017
Category: Anti-BoycottBIS

Port of Fujairah by Port of Fujairah via http://fujairahport.ae/wp-content/gallery/gallery/picture-521.jpg [Fair Use]
ABOVE:Port of Fujairah

Eugene Cotilli is the Media/Congressional Liason at the Department of Commerce and is the listed contact for inquiries relating to the Bureau of Industry and Security (“BIS”). Josh Lederman of the Associated Press contacted him to ask him whether the boycott against Qatar by Saudi Arabia, Bahrain, Egypt and the U.A.E. is an unsanctioned foreign boycott for purposes of the BIS anti-boycott rules that prohibit U.S. companies from complying with unsanctioned foreign boycotts. This blog has previously discussed this issue in this post.

This is a perfectly legitimate question. It is an important question because if the rules do apply and a U.S. company accepts a purchase order with an impermissible boycott clause, it is subject to a fine of $284,582 or twice the value of the transaction, whichever is greater. If the order with the impermissible clause is for $1 million worth of goods, the company accepting that order is liable for a civil penalty of $2 million dollars.

So, given the serious consequences of such a violation, Mr. Cotilli certainly provided useful guidance on this simple question, right? Here is his response: no comment. Right, he declined to answer Lederer’s simple and legitimate question. He didn’t even say,  “I’ll find out and get back to you.”

Part of the purpose of this post is to shame bad government. But there’s another purpose as well. It’s to encourage you to download and save a copy of Josh Lederman’s article and put it in your files. Although the safe play with respect to the Qatar boycott is to treat it as an unsanctioned foreign boycott, as my previous post thought was the case, you might still get caught up in a violation because BIS’s antiboycott rules are ridiculously complex, profoundly unclear and preposterously confusing. You could, even with the best of intentions, run afoul of them because of some clause buried in a letter of credit. Cotilli’s refusal to answer a simple and direct question as to whether the Qatar boycott is covered by these rules may turn out to be your best defense.

You’re welcome.

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

11

Don’t Believe Everything You Read in Blogs


Posted by at 5:54 pm on July 11, 2017
Category: BISDDTC

Road Warrior at LAX by Clif BurnsA lawyer, without any apparent background in export law, recently decided to write a post on export law for “In House,” which bills itself as the “FindLaw Corporate Counsel Blog.” The purpose of the post, it would seem, is to frighten people traveling internationally with their laptops with the suggestion that they may well be greeted on their return trip by an arrest warrant if they don’t have an export license for their laptop. No, really, he actually says that

Traveling abroad? Don’t forget your passport, your laptop, and your export license.

Wh-what export license? Oh, maybe your company attorney didn’t tell you that your laptop requires an export license.

That’s right, the United States requires a license for certain technology and software going abroad.

What the FindLaw post, in order to maximize clickbait value, never reveals is that while technically true that some laptop exports require an export license due to software or technology on that laptop, there are broad license exceptions which mean that, as a practical matter, such licenses are almost never required. That’s what License Exceptions TMP and BAG and the exemption in section 125.4(b)(9) of the ITAR are for. These are, oddly enough, never even mentioned in the FindLaw blog post.

I discussed these provisions permitting laptops to be exported without a license recently in a post about whether a requirement to check laptops in the cabin hold might mean that these provisions would no longer apply. As explained there, section 125.4(b)(9) and license exception BAG permit export of laptops (and any software or technology on them) accompanying passengers and for their personal use as long as the laptop is password protected. License exception TMP requires that the laptop remain in the effective control of the traveler. (The difference between BAG and TMP is that BAG applies to laptops owned by the traveler and TMP applies to company laptops taken on a business trip).

So, no, if you password protect that laptop and keep it with you on your travels, you’re not going to need a license just to take the laptop with you. (If you intend to transfer the laptop or give the technology or software to someone else in the foreign country, these exceptions won’t apply.)

This all goes to show that, with perhaps one exception, don’t believe everything you read on a blog!

Photo Credit: Road Warrior at LAX by Clif Burns. Copyright 2015 Clif Burns

Permalink Comments (1)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

6

A Boycott Is A Boycott Is A Boycott


Posted by at 6:06 pm on July 6, 2017
Category: Anti-BoycottBIS

Port of Fujairah by Port of Fujairah via http://fujairahport.ae/?page_id=355 [Fair Use]
ABOVE:Port of Fujairah

As you probably know, various Arab countries, including Saudi Arabia, the U.A.E. and Egypt have imposed a boycott on Qatar, allegedly because of remarks that appeared on the Qatar News Agency’s website where Qatar emir Sheikh Tamim bin Hamad Al Thani called Iran an “Islamic power” and, even worse, said Qatar has “good” relations with Israel. Qatar claims that the Sheikh never said this and that the QNA website was hacked. U.S. intelligence officials have said that this was likely the work of Vladimir Putin and his band of merry hackers, who were hoping to create a rift among the United States and its Arab allies — something the hack may well have accomplished.

What you may not know is that the Port of Fujairah, in the United Arab Emirates, has just banned from the port all maritime traffic coming from or headed to Qatar. Now, how many of you immediately thought of the Bureau of Industry and Security’s Anti-Boycott rules when you (just) heard this? “Pshaw,” you say, “those rules only apply to the Arab League Boycott of Israel.” But in fact the Anti-Boycott Rules never even mention that boycott. By their terms, they apply to any “unsanctioned foreign boycott.” Even though the rules go into excruciating details on all matter of things,  the term “unsanctioned foreign boycott” on which the whole byzantine edifice is constructed, is, oddly, never defined.  Even so, you can be pretty sure that the boycott against U.S. ally Qatar is one of those “unsanctioned foreign boycotts.”

That being said, consider the following scenario. A customer in Fujairah, UAE, wants to buy from you $2 million worth of fidget spinners. The purchase order contains the following clause:

The shipping terms for the purchased goods are DDP Port of Fujairah (INCOTERMS 2010). The good may not be shipped on a Qatari-flagged vessel or on a vessel that visited, or is destined to visit, Qatar.

Can you accept the order?

The Anti-Boycott rules do provide some limited exceptions to permit compliance with shipping instructions of boycotting countries. Section 760.3(b)(1)(i) permits a U.S. person to comply with a prohibition of shipping the goods on a Qatari-flagged vessel. In addition, section 760.3(b)(2)(i) permits a U.S. person to agree not to ship the goods through Qatar. However, the exceptions only apply to requirements for “shipping goods to the boycotting country.” Any restrictions on where the ship calls after that shipment is complete and the goods are delivered to Fujairah would be a violation of the rules.

So there’s something else for you to worry about. You’re welcome.

Permalink Comments (2)

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

26

Vladimir Wants To See Your Source Code


Posted by at 4:08 pm on June 26, 2017
Category: BISEncryption

Vladimir Putin by Kremlin.ru [CC BY 3.0 (http://creativecommons.org/licenses/by/3.0)] via https://commons.wikimedia.org/wiki/File%3AVladimir_Putin_12019.jpg [cropped]According to this Reuters report, the Russians are demanding from U.S. companies the right to view source code of software that these companies wish to sell in Russia. The software at issue includes software with encryption capabilities, anti-virus software and firewalls. You don’t have to be a rocket (or computer) scientist to figure out why Vladimir and his spy master buddies want to look at such software. They are looking for vulnerabilities that would allow the Russians to continue to hack into U.S. networks and infrastructure. Surprisingly, Reuters suggests that some big names in U.S. software are actually complying.

That’s surprising because, as many readers probably know, handing over the source code of programs with encryption functionality to the Russian government requires a license from the Bureau of Industry and Security (“BIS”). Normally, I would expect BIS, at least for the moment, to grant such a license when hell freezes over or, as Vladimir himself might say, когда рак на горе свистнет (“when crawfish whistle in the mountains.”)

Here’s why a license is necessary. First, keep in mind that BIS controls the export of software with encryption functionality. This includes software that does not contain any encryption algorithms but calls those algorithms from an external source to perform the actual encryption. Although the language of the EAR is far from making it clear, BIS makes it quite clear here on its website:

Almost all items controlled under Category 5, Part 2 of the EAR are controlled because they include encryption functionality. Items may be controlled as encryption items even if the encryption is actually performed by the operating system, an external library, a third-party product or a cryptographic processor. If an item uses encryption functionality, whether or not the code that performs the encryption is included with the item, then BIS evaluates the item based on the encryption functionality it uses.

Most programs, in fact, call encryption from the operating system. Some browsers, such as Firefox, incorporate their own encryption, and programs may utilize browser encryption when sending and retrieving date from the Internet. In any event, the vast majority of software has some encryption functionality either by using the operating system or native encryption in certain browsers.

Second, source code does not fall under EAR section 740.17(b)(1) and is not eligible for self-classification and export under License Exception ENC. Rather source code that is not publicly available falls under 740.17(b)(2)(i)(B). Items that fall within (b)(2), such as source code, can be exported thirty days after the filing of a classification report to “non-‘government end users’ located or headquartered in a country not listed in supplement no. 3.” See Section 740.17(b)(2)(i). As a result, license exception ENC does not authorize exports to government end-users outside Supplement 3 countries. As Russia is not a Supplement 3 country, a license is required to provide source code with encryption functionality to the government of Russia.

I have no way of knowing whether the U.S. companies that have let Vlad peek at their source code bothered with, or even knew of the requirement for, licenses.   And although not so long ago, BIS would probably have said “nyet” to any such license request, it is altogether possible that BIS is now saying “da” instead.   In any event, companies should think long and hard before spilling their source code for software with encryption functionality to the Russkis without getting a license from BIS first.

 

Permalink Comments Off on Vladimir Wants To See Your Source Code

Bookmark and Share


Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)