Archive for the ‘Deemed Exports’ Category


Apr

25

Well, That Didn’t Last Long: DDTC Finds Backdoor To Reimpose Access Rule


Posted by at 10:31 pm on April 25, 2018
Category: DDTCDeemed Exports

HD Thermal Camera via https://www.flir.com/news-center/professional-tools/the-new-t1010---flirs-latest-hd-thermal-camera/ [Fair Use]Yesterday the Directorate of Defense Trade Controls (“DDTC”) and FLIR entered into a consent agreement under which FLIR consented to a civil penalty of $30 million, half of which was suspended on the condition that this amount was and would be applied to previous and future compliance costs. The fine was based on a number of export violations in various categories that FLIR voluntarily disclosed.  These violations included instances where disclosed violations continued after their disclosure and where promised remedial actions to cure disclosed violations were not taken.

One part of the Charging Letter is interesting because it appears to be effectively a reversion to the old DDTC standard, clearly articulated in the 2004 General Motors Charging Letter, that access to ITAR-controlled information by a foreign national is a deemed export violation even if the controlled information was never in fact seen by the foreign national. As you may recall, back in 2016 DDTC retreated from that position, saying this in the Federal Register Notice in which “export” was redefined by DDTC:

Several commenters requested that the Department remove the portion of (a)(6) that addressed the provision of physical access to technical data. The Department has removed paragraph (a)(6). However, as described above for paragraph (a)(7), while the act of providing physical access does not constitute an “export,” any release of technical data to a foreign person is an “export,” “reexport,” or “retransfer” and will require authorization from the Department. If a foreign person views or accesses technical data as a result of
being provided physical access, then an “export” requiring authorization will have occurred and the person who provided the foreign person with physical access to the technical data is an exporter responsible for ITAR compliance.

Now look at this part of the Charging Letter:

Approximately 1,350 foreign-person employees had access to all ITAR-controlled technical data (over 1,400 files) located on Respondent’s servers in 22 non-U.S. facilities … While access does not mean that the employees viewed the information, Respondent lacked the IT records which could confirm which employees actually accessed ITAR-controlled files. … It is the Department’s position that Respondent transferred technical data to foreign-person employees that was necessary for their job performance on its servers without authorization.

What DDTC is saying here, in effect, is that if you don’t have logs showing every access to the controlled technical data — and who will have that? — then DDTC is just going to assume that the controlled technical data was transferred to everyone who had access to it. So we’re back where we started and access, not disclosure, is the violation. Sigh.

Permalink Comments (2)

Bookmark and Share


Copyright © 2018 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Feb

17

UMass Bans Iranian Students


Posted by at 7:34 pm on February 17, 2015
Category: Deemed ExportsIran Sanctions

UMass Amherst Student Union by Trace Meek [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/tracemeek/8972271164 [cropped]

[UPDATES BELOW]

Why solve a problem with a scalpel when there is a sledgehammer nearby? That is the question that UMass Amherst administrators must have asked themselves when they decided to ban all Iranian students from their graduate-level science and engineering programs. The problem, of course, that had the administrators in a tizzy was the fear that the university might engage in deemed exports of export-controlled technology to those Iranian students.

It seems, however, that the UMass administrators perhaps need themselves a little education in export law. For starters, the Export Administration Regulations (“EAR”) make clear in section 734.9 that information “released by instruction in catalog courses and associated teaching laboratories of academic institutions” is not subject to the EAR and that, therefore, teaching this information to Iranians (or any other foreign student) is not a violation of the EAR.

Perhaps the administrators are afraid that school labs might have export-controlled equipment and that Iranians, if they have access to these machines, might be considered to have received export-controlled technology. That may be a legitimate concern, but it is not one that is restricted to Iranians. To solve this problem, UMass would have to boot all foreign students.

Nor is there any merit in the argument, apparently made by a “policy analyst” at a small DC firm cited in the linked article, that this result is mandated by section 501 of the Iran Threat Reduction and Syria Human Rights Act. That section prohibits the State Department from issuing visas to an Iranian to attend a U.S. university “to prepare … for a career in the energy sector of Iran or in nuclear science or nuclear engineering or a related field in Iran.” To begin with, this section imposes on obligation only on the State Department and not on any university in regard to its relation with a student once such a visa was granted. Nor does the prohibition extend to all fields in science and engineering, unless, somehow, a graduate degree in biology prepares one to work in the energy or nuclear field.

Beyond that, the University runs the risk of violating the anti-discrimination provisions of the Immigration and Nationality Act. Those provisions prohibit discrimination in employment against a legally-admitted foreign national based on his or her national origin. Since graduate students normally receive employment from their universities, a total ban on Iranian graduate students could very likely be seen as a violation of those prohibitions.

UPDATE: An email from the DC firm discussed in this post indicates that their policy analyst did not state in the interview cited in the linked article that section 501 of the Iran Threat Reduction and Syria Human Rights act mandated the position taken by UMass Amherst.  The email goes on to state that the law firm also believes, as I do, that the UMass Amherst policy is overbroad.

SECOND UPDATE:  Do you think maybe the folks at UMass Amherst read this post?  Probably not, but for whatever reason they’ve already reversed their policy banning Iranian graduate students in science and engineering.

 

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Aug

19

Chinese Hacker Nabbed on Export Charges


Posted by at 9:20 pm on August 19, 2014
Category: Arms ExportCriminal PenaltiesDDTCDeemed Exports

Stephen Su photo taken by CBP during U.S. transit in 2011 via http://www.cbc.ca/news/canada/british-columbia/su-bin-chinese-man-accused-by-fbi-of-hacking-in-custody-in-b-c-1.2705169 [Public Domain]
ABOVE: Stephen Su


Well, we all know, or should know, that hacking is a criminal violation of the Computer Fraud and Abuse Act, at least when it entails unauthorized access to another party’s computer. What you may not know is that if you’re a foreign national and if the data accessed is technical data controlled by the International Traffic in Arms Regulations, hacking can also be a violation of the Arms Export Control Act.

Back in June, Canadian authorities arrested, at the request of the FBI, a Chinese citizen and Canadian permanent resident named, variously, Su Bin, Stephen Su and Stephen Subin, who we’ll refer to simply as Su for convenience.  Su , the owner of Lode-Tech, a Chinese company with an office in Canada, was accused of conspiring with several Chinese nationals to hack into U.S. defense contractors’ computer systems and to exfiltrate data about military aircraft back to China.  Last Friday, Su was indicted by a federal grand jury in California.

One of the charges in the indictment is a violation of the Arms Export Control Act.  The theory behind this charge is that Su, with his PRC-based co-conspirators, conspired to break in the U.S. computer systems and to disclose ITAR-controlled technical data to foreign nationals among whom were, of course, themselves.

The criminal complaint filed back in June, which served as the basis for Su’s arrest, contains some fascinating details.  First, it appears that access was gained to the defense contractors’ systems by sending emails to employees of the contractors containing infected attachments or links to infected websites that installed malware on the systems which allowed the hackers to control the systems, to view files on the system, and to send the files back to themselves.   Interestingly, the files were then transferred to hop points or servers in Hong Kong and Macao and from there were physically carried back into the PRC.   Interestingly, it appears that as the Internet becomes easier for security agencies to surveil, modern spies have started to revert back to older methods of spycraft such as smuggling documents, document drops, and, conceivably, even encrypted Morse code shortwave radio transmissions.  One wonders if the NSA is training folks in Morse Code and invisible ink.  What’s next?  Microdots?

Permalink Comments Off on Chinese Hacker Nabbed on Export Charges

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

11

DDTC Deflates Cloud Puffery


Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Mar

5

Ignorance Is Indeed a Defense: NASA Ames Edition


Posted by at 6:06 pm on March 5, 2014
Category: DDTCDeemed ExportsITAR

Aerial View of NASA Ames Research Center https://www.facebook.com/photo.php?fbid=10151655073516394&set=pb.338122981393.-2207520000.1394054211.&type=3&theater [Public Domain]The NASA Office of Inspector General completed its investigation of unlicensed releases of ITAR-controlled technology to foreign nationals working at the Ames Research Center and — surprise! surprise! — it found no evidence of any violations of law. According to a summary of the OIG report, ITAR-controlled information was released without proper authorization to foreign nationals working at Ames. However, this was not a violation of law, just “poor judgment,” which is a nice way of saying that ignorance of the law can be a defense if you work at NASA and are being investigated by the NASA OIG. The full report was withheld because of privacy concerns, i.e., it mentioned the names, I would presume, of all the people running around at Ames and exercising poor judgment.

As they say on the car commercials: “Professional government workers exporting on closed course. Do not attempt this yourself.” In other words, “poor judgment” will not be enough to exonerate deemed exports in the private sector.

The reason for this all being just a lapse of judgment and not an export violation is this:

We … found significant disagreement between scientists and engineers at Ames and export control personnel at the Center and NASA Headquarters as to whether the work the foreign nationals were performing at Ames involved ITAR-controlled technology.

For you and me, such confusion means you need to file a Commodity Jurisdiction request with the State Department to clear things up. For NASA workers it means that export controls are hard and engineers can’t be blamed for getting hard questions wrong. This statement is somewhat incredible in the context of this finding in the report:

In addition, on two occasions a senior Ames manager inappropriately shared documents with unlicensed foreign nationals that contained ITAR markings or had been identified as containing ITAR-restricted information by NASA export control personnel.

But, yeah, everybody was still confused and disagreeing over whether this stuff was ITAR-controlled or not.

Then we have the part of the report which suggests that Professor Roth probably wishes he worked at NASA and not the University of Tennessee.

We also found that a foreign national working at Ames inappropriately traveled overseas with a NASA-issued laptop containing ITAR-restricted information. Even though the foreign national had an ITAR license at the time, the regulations forbid taking such export-controlled information out of the country. However, we were unable to substantiate concerns that the foreign national shared ITAR-protected information while overseas.

Professor Roth is sitting in a federal correctional facility in part because he carried a laptop with ITAR-controlled data to China without any evidence whatsoever that he even opened those files on his computer while in China. I think this is what some people might call a double standard.

Permalink Comments (3)

Bookmark and Share


Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)