Archive for the ‘Deemed Exports’ Category


May

11

Export License Required


Posted by at 6:52 pm on May 11, 2011
Category: Deemed Exports

JobsI think all the publicity of the new part of the I-129 non-immigrant visa application which asks companies to certify as to whether the company will be transferring export-controlled technology to the foreign employee is causing some confusion. I saw today a job listing for a gas turbine engineer that said this:

This position may require an export license from the Department of Commerce, Bureau of Industry and Security and/or the Department of State, Directorate of Defense Trade Controls. Issuance of any required license is a prerequisite for this position.

This is odd, because that license is only required if the person filling the position is not a U.S. citizen or permanent resident. And if the person is not, a work visa is required, which is a prerequisite prior to any export license. So why the emphasis on the requirement of an export license? Do people now think that export licenses may be required for any jobs involving controlled technical data?

Permalink Comments (5)

Bookmark and Share


Copyright © 2011 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Mar

8

If BIS Can’t Understand the EAR, How Are You Supposed To?


Posted by at 9:20 pm on March 8, 2011
Category: BISDeemed Exports

IBM Blue Gene SupercomputerThe GAO released on March 7 a report, dated February 2, that chastised the Bureau of Industry and Security (“BIS”) for confusion within BIS concerning the proper scope and interpretation of its own deemed export rule. The precise issue is one which has confused exporters even more than BIS and which relates to whether or not giving a foreign national access to an export-controlled dual-use item, such as a high-powered computer covered by ECCN 4A003, is a deemed export or not.

The question revolves around the meaning of “use” under the Export Administration Regulations (“EAR”). For example, in the case of supercomputers controlled by ECCN 4A003, the corresponding technology ECCN 4E001 defines controlled technology as technology “for the “development”, “production”, or “use” of equipment” controlled by ECCN 4A003. “Use” is defined in the EAR as “[o]peration, installation (including on-site installation), maintenance (checking), repair, overhaul and refurbishing.” BIS has interpreted this definition to mean that the mere operation of a dual use item by a foreign national is not a deemed export; rather, a deemed export occurs only when the foreign national is given information that would permit the foreign national to engage in all six activities defined as use.

Since 1994, the GAO has been complaining that this definition is unclear because it does not take into account that controlled information is often transferred in the course of training a foreign national to use a dual use item. Presumably this means that GAO thinks that in teaching a foreign national how to operate the item, an employer or university will also transfer information relating to installation, maintenance, repair, overhaul and refurbishing of the dual use item.

Further confusion exists with respect to dual use items that are being used for fundamental research. According to the GAO report some BIS officials have said that in such an instance there is no deemed export, presumably even if information on all six use aspects is transferred. The GAO report cites an instance where this confusion caused BIS to flip-flop on license applications by the NIH designed to permit foreign nationals to work at a facility with controlled equipment. Initially, NIH took the position that because it was engaged in fundamental research, no deemed export was occurring. When BIS told NIH in 2008 that it needed export licenses notwithstanding that it was only engaged in fundamental research. Between August 2008 and December 2009, NIH applied for 37 deemed export licenses to permit foreign nationals to operate controlled equipment. In December 2009, BIS reversed course and told NIH that no licenses were necessary because NIH was engaged in fundamental research.

So which is it? Frankly, it seems to me that the project in which the controlled item is engaged is irrelevant. If a 4A003 supercomputer is being used to, say, play Jeopardy, that doesn’t mean that you could transfer to a foreign national information on how to operate, install, maintain, repair, overhaul and refurbish that computer. But what I think isn’t important. What’s important is what BIS thinks, and it seems to be of two minds on the issue.

Permalink Comments (2)

Bookmark and Share


Copyright © 2011 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Feb

8

Once More Unto the Breach


Posted by at 8:35 pm on February 8, 2011
Category: BISDeemed Exports

Cloud ComputingThe Bureau of Industry and Security (“BIS”) previously did battle with cloud computing in an advisory opinion it released in January 2009. Almost two years later BIS charges into battle yet again, and yet again there is no clear victor.

In the 2009 advisory opinion, BIS noted that the provider of cloud computing services was only providing a service and was not exporting data or technology. Only the customer of the service could be the exporter, and only the customer of the service would be in export hot water if the data or technology was transferred in violation of the Export Administration Regulations. This logic seemed a bit at odds with the normal concept that providing access to technical data to foreign nationals was an export, but let’s not trouble ourselves here with minor details. A sly little sentence dropped at the end of the opinion also reminded everyone that the Office of Foreign Assets Control (“OFAC”) might have concerns with the provision of cloud computing services to blocked persons or embargoed destinations even if BIS did not.

Now, two years later, BIS confronts the related and more difficult question of what cloud computing service provides ought to do about their own foreign national IT staff who might have access to controlled technology placed on the cloud by the service’s customers. Not to worry, says the opinion, because the cloud computing service provider isn’t an exporter and thus can’t be a deemed exporter:

Because the service provider is not an “exporter,” [it] would not be making a “deemed export” if a foreign national network administrator monitored or screened, as described above, user-generated technology subject to the EAR.

But the problem with this logic is that the person who gives a foreign national access to controlled technology is a deemed exporter even if he isn’t an exporter. That’s why they call it a “deemed” export.

Of course, none of this addresses the 900-pound gorilla in the room which is, of course, the user of the cloud service and its liability for using a cloud service where foreign IT personnel have access to the controlled data that the user may have placed on the cloud. And don’t think the problem starts and ends with cloud computing. The Internet, is also a cloud of sorts linking various servers together to permit transit of data to its final destination. Any of those servers may have foreign network administrators who could use packet sniffers to see controlled technical data. Worse yet, the routing servers may be located in foreign countries even when the sender and the receiver are both located in the United States.

What I think we’d like to hear is what BIS and DDTC think about this. Or maybe not.

Permalink Comments (2)

Bookmark and Share


Copyright © 2011 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

25

“Do What I Say” Etc., Etc.


Posted by at 5:45 pm on May 25, 2010
Category: Criminal PenaltiesDDTCDeemed ExportsTechnical Data Export

NASC RFP

In case you can’t read the text of the “WARNING” in this RFP from the Naval Air Systems Command sent to me by an alert reader, it says:

WARNING: THIS DOCUMENT CONTAINS TECHNICAL DATA WHOSE EXPORT IS RESTRICTED BY THE ARMS EXPORT CONTROL ACT (TITLE 22, U.S.C. SEC 2751 ET SEQ) OR THE EXPORT ADMINISTRATION ACT OF 1979, AS AMENDED, (TITLE 50, U.S.C. APP 2401, ET SEQ). VIOLATIONS OF THESE EXPORT

Which is why, of course, the document is posted on the web where any foreign person in any country could download the document and obtain export-restricted technical data. I was able to download without problem all of the documents attached to the RFP.

Perhaps the contracting officer was unaware that the Internet was available outside the United States or that foreign nationals in the United States could actually access the Internet. Or did the contracting officer think that if, say, an Iranian saw this “WARNING” either a crise de conscience or fear of the long arm of U.S. law would cause him or her to heed the warning and not download the juicy details? (I have blurred the details of the RFP so as to not to assist any foreign person in locating this particular RFP, and I’m not providing a link for the same reason.)

The government regularly threatens defense contractors, universities (cf. Professor Roth), and others with huge fines and criminal penalties for disclosures of ITAR-controlled technical data, even data that is already available elsewhere on the Internet. So why haven’t I read about a raid on the Naval Air Command Systems office at the Pentagon and seen pictures of ICE carting off all their computers?

Permalink Comments (8)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

12

Maybe Carbon Paper Wasn’t Such a Bad Thing After All


Posted by at 11:40 am on May 12, 2010
Category: Deemed Exports

Hidden Export RiskAnother day; another export compliance nightmare. First it was cloud computing and now it is . . . copy machines. Seriously.

An alert reader pointed me to this CBS News story about hard drives found in almost all copy machines built after 2002. They store images of the last 20,000 or more things copied on the machines to which they are attached. Your resumé. Your tax return if you copied it at work before you sent it. The photocopy you hilariously made at the office Christmas party of, well, you know who you are and you know what I mean.

It also includes any export-controlled technical data copied on the machine. And since you probably lease that machine, your vendor comes in periodically to replace the machine, whisking away the old one, and its hard drive, and sending them to destinations unknown. Have you worked up a cold sweat yet?

The CBS reporters downloaded copies of hard drives from used copy machines Each copier was bought for $300 each. They found confidential patient medical records, details of an on-going drug investigation by the Buffalo police, and pay stubs with names, addresses and, yes, social security numbers. And I’m sure that export-controlled technical data wouldn’t be hard to find either. At the facility where CBS bought the used copy machines, two containers of used copy machines were being packed for export to Singapore and Argentina. Was your copy machine in that batch?

As soon as you finishing reading this, you probably want to take steps to make sure that copy-machine hard drives are scrubbed before the machines leave your facility and that, in the future, all export-controlled technical data or technology is only copied on secure machines that implement a factory option to erase each image from the hard drive after the copy is made.

Permalink Comments (4)

Bookmark and Share


Copyright © 2010 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)