The Brookings Institution just issued a brief report entitled “Addressing Export Control in the Age of Cloud Computing.” The report raises more issues than it answers, which is not surprising given the brevity of the report and the uncertain state of the application of export rules and regulations to cloud computing.
One thing the report gets quite right is its observations that the questions of the application of export law to cloud computing are issues that pre-date the current cloud computing phenomenon and were raised initially by the trans-national characteristics of the Internet itself. Consider this example provided by the report:
Person A, a U.S. citizen located in the United States, sends an e-mail containing EAR-restricted information in the body of the message to Person B, a U.S. citizen who normally works at a location in the United States. Unbeknownst to Person A, Person B is on a short trip overseas. Person B logs onto his e-mail while overseas using a public computer in the lobby of his hotel, sees that he has an e-mail message from Person A, but since he does not have any reason to believe in advance that it will contain EAR-restricted information, proceeds to click on the message and read it.
Assuming this is an export violation, and under a literal reading of the Export Administration Regulations (“EAR”) it would be, who has broken the rules? The party sending the email without knowing it was going to leave the country or the party opening the email not knowing it contained export controlled data? The report piles on another question and another wrinkle: suppose the email provider moved the email on to a foreign server after noticing that Person B was accessing the email from abroad. Is the email provider guilty of an export violation? These same issues that are posed by a simple email are also posed when companies begin storing data on the cloud without full control or knowledge of where the cloud servers may be located.
Of course, the literal interpretation of export rules might well forbid the use of email, cloud services or the Internet in general with respect to export-controlled data. Is it time to shut off the computers, address a bunch of envelopes, and crank up the dusty postage meter in the back of your office?
The report suggests that regulators might avoid charges of Luddism and the enshrinement of nineteenth-century concepts of exports by looking at data encryption. Under current rules, data is exported if it crosses borders whether it does so as clear or encrypted text. Perhaps securely encrypted text can find a safe harbor from traditional concepts of export. And although the regulations do not currently take this approach, I have advised people emailing export-controlled data to do so always in encrypted form to guard against things similar to the scenario posed above. If the controlled data, through the miracle of the Internet, winds up on a foreign server, at least the contents of that data aren’t available in any practicable sense to any foreign persons with access to that server. If not a defense to the export violation, it is at least going to be a mitigating factor in any penalty action.