Archive for May, 2015


May

29

Last Second Reprieve For BEA Victims, Er, Filers


Posted by and at 5:51 pm on May 29, 2015
Category: Bureau of Economic Analysis

Brian Moyer via http://www.bea.gov/about/images/moyer-brian.png [Public Domain]
ABOVE: Dr. Brian Moyer,
BEA Director


We have previously reported on the impending deadline of May 29, 2015 for all U.S. individuals and entities with 10% or greater interest in any “foreign affiliate” to file Form BE-10 with the U.S. Bureau of Economic Analysis (“BEA”) – a deadline which caused no small amount of consternation among many who had no idea of their obligation to report or who realized that the BEA’s own estimate of the burden to complete this report was 144 hours per response. Many were scrambling to complete their report or file for an extension as the deadline neared.

With little fanfare, the following message appeared on the BEA BE-10 Form website sometime on May 28, 2015:

BEA Website Screen Grab

While no press release or Federal Register Notice accompanies this announcement, this blurb on the website amounts to a last-minute reprieve for all new filers of Form BE-10.  One can only imagine that BEA was inundated with extension requests, an outcome that would have been obvious to everyone but the BEA economists hunkered down in their cubicles and with little contact, apparently, with the outside world.

Those who have previously filed Forms BE-10, BE-11 or BE-577 are not off the hook for the May 29, 2015 filing deadline and must complete their report or file for an extension by the deadline.June 30 will arrive soon enough, and the amount of data and effort necessary to complete the Form BE-10 report should prompt those new filers given a brief respite to start working on this onerous task now rather than on June 29th.

Permalink Comments Off on Last Second Reprieve For BEA Victims, Er, Filers

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

27

Are You A Natural Person or an Unnatural One?


Posted by at 9:43 pm on May 27, 2015
Category: General

Harry S. Truman Building, United States Department of State, Washington, D.C. by Ken Lund [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/kenlund/14299552757/DDTC issued proposed rules yesterday dealing, mostly, with the conundrum of what to do with U.S. citizens who work, either in the U.S. or abroad, for foreign defense contractors. Since most normal people (viz., natural persons) do not pore over the ITAR in their spare time, it often comes as a surprise to them, particularly if they are working for foreign defense contractors who don’t care much about the ITAR, that they can go to jail for undertaking such employment in certain circumstances, unless they register with, and get advance permission from, the State Department’s Directorate of Defense Trade Controls.

The proposed rules ease up on this restriction, at least for U.S. citizens who work for foreign defense contractors in a “NATO or EU country, Australia, Japan, New Zealand, and/or Switzerland.” The end-users for the defense articles involved must be in one of those countries, and no U.S. defense articles can be involved. Oh, and no SME either, meaning the foreign defense article cannot be defined on the United States Munitions List as “Significant Military Equipment,” which includes not just obvious things like bombers and missiles but also less obvious things like certain lasers.

Before you run off and email your job application to BAE, there’s one more thing. Although U.S. persons in such situations do not need prior DDTC approval for such employment, they still need to register with DDTC. There is an exemption for people working for DDTC-registered companies but, obviously, this may not be the case for the scenario of a U.S. person working for a foreign defense company.

Two additional things should be pointed out about the proposed rules: one is useful and the other is, frankly, rather hilarious. Let’s take the useful one first. As most readers will know, there has been a bewildering lack of clarity about which subsidiaries can be included on a registration statement, particularly inasmuch as section 122.2 allowed such inclusion for subsidiaries that were more than 50 percent owned by the registrant or were “otherwise controlled.” It’s always those “otherwises” that keep lawyers employed. The proposed rules add a note to say that “otherwise controlled” can be

rebuttably presumed to exist where there is ownership of 25 percent or more of the outstanding voting securities if no other person controls an equal or larger percentage.

Now for the somewhat hilarious one. In order to allow U.S. citizens to work for foreign defense contractors, but not to create a new exemption for U.S. companies in their dealings with these foreign companies, DDTC has decided that it needed to say that this exemption is restricted to “natural persons.” And, because “natural person” seemed to them apparently to be an incomprehensible and esoteric term, the new rules actually define natural person. It means, in case you were wondering, an “individual human being.” Of course, “human being” probably needs to be defined as well.  I, for one,  know plenty of people who are not really “human beings.”  For example, New York Yankees fans aren’t human beings. They’re animals, pure and simple.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

20

BIS Finally Releases Proposed Cybersecurity Rules


Posted by at 11:55 pm on May 20, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAt long last, and well after the E.U. and many other members of the Wassenaar Arrangement, BIS has released proposed (but not final) rules implementing the December 2013 changes adopted by the Arrangement and which imposed export controls on “intrusion detection software” and “IP network communications surveillance” systems and equipment. After the E.U. adopted the 2013 changes in October 2014, we speculated that the delay by BIS beyond its announced September 2014 date for releasing a proposed rule was that it perhaps was struggling with the impact of Wassenaar’s overbroad definition of “intrusion detection software.” But we were wrong.

The proposed rule adopts the Wassenaar changes without clarification of the scope of coverage of intrusion detection software. Instead, the delay seems to have been wholly occasioned by housekeeping matters: specifying the reasons for control, deciding that no license exceptions would apply, and so forth. The proposed BIS rules also grapple with a rather esoteric problem: what to do with intrusion detection software with encryption functionality. And it decides that the software is classified, and must comply with, both ECCNs, which, at last, concedes something BIS long said was impossible: that an item could have two ECCNs. Finally, and I’m not joking, so I’ll quote the agency itself to prove that I’m not

[a] reference to §772.1 is proposed to be added to ECCNs 4A005, 4D001 and 4E001 to point to the location of the ‘‘intrusion software’’ definition, as this rule may be of interest to many new exporters that would not otherwise know that double quoted terms in the EAR are defined in §772.1.

Seriously? Now BIS starts to worry about the indecipherability of the EAR and the secret rules of interpretation that must be applied? What next? Will proposed rules start spelling out “n.e.s.”?

But, all joking aside, the problems with the definition of intrusion software remain

‘‘Software’’ ‘‘specially designed’’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

The notes indicate that protective measures include “Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) or sandboxing.”

Many have pointed out this definition would cover programs that permit auto-updating without user intervention, such as, for example, the Chrome browser, which updates itself in the background and circumvents protections normally imposed by the operating system to prevent installation or modification of programs without user intercession. Address Space Layout Randomization (ASLR) loads program components into random addresses in memory as a security measure against buffer overflow attacks and yet legitimate programs that must “hot-patch” operating servers or systems must scan memory to locate the program components, thereby both extracting data and defeating ASLR. The definition of sandboxing as a protective measure will subject programs that permit rooting or jailbreaking of mobile telephones to export controls.

I don’t normally try to look into a crystal ball and make predictions about the future, but I see clearly a flood of classification requests by software developers.

Permalink Comments Off on BIS Finally Releases Proposed Cybersecurity Rules

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

19

BIS Publishes Tips You Can Use (or Not) to Unmask Russian Straw Purchasers


Posted by at 9:48 pm on May 19, 2015
Category: BISRussia Sanctions

By Daderot (Own work) [CC0], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3APatent_quote_-_United_States_Department_of_Commerce_-_DSC05103.JPGThe Bureau of Industry and Security (“BIS”) just released new guidance, snappily titled “Guidance on Due Diligence to Prevent Unauthorized Transshipment/Reexport of Controlled Items to Russia,” which attempts to reveal ways in which U.S. exporters can detect whether a purchaser is sneakily trying to buy things not for itself but for the bad guys in Russia. This, of course, is a laudable purpose, not just for the Russians, but for the many other countries and entities that know they can’t directly buy certain export-controlled goods and have a straw purchaser do their dirty work. But, sadly, most of the advice for sniffing out secret Russian intermediaries is about as useful as the secret decoder rings that used to be found in cereal boxes.

Here it is:

When inquiring into the ultimate destination of the item, an exporter should consider e-mail address and telephone number country codes and languages used in communications from customers or on a customer’s website. The exporter should also research the intermediate and ultimate consignees and purchaser, as well as their addresses, using business registers, company profiles, websites, and other resources. … Furthermore, exporters should pay attention to the countries a freight forwarder serves, as well as the industry sectors a distributor or other non-end user customer supplies.

Particularly risible is the advice to pay attention to the “email address and … languages used in communications from customers or on a customer’s website.” Because, of course, if you’re trying to hide the fact that your acting on behalf of the Russians you’re going to put up a website in Russian, email from a .ru domain, and say “Nyet” when asked if you’re secretly working for the Russkis.

It’s not quite clear why BIS mentions these factors — which may from time to time catch a really stupid Russian intermediary who slips and starts babbling in Russian — rather than more reliable red flags. The most frequent indicators that you’re dealing with an imposter is a purchaser who appears to have no clear understanding of, or use for, the item he or she is seeking to purchase. Small purchasers that your company has never dealt with or who say that they are simply a reseller should set off alarm bells. And here’s a personal favorite: Google Maps Street View is your friend. If you track down the address in Amsterdam and see that the purchaser of a controlled accelerometer is a bicycle store or a car repair garage, well, your work is done.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

May

12

Federal Court Strikes Down Warrantless Border Search in Iran Export Case


Posted by at 11:23 pm on May 12, 2015
Category: Criminal PenaltiesIran Sanctions

Los Angeles International Airport by Daniel Betts [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/redlegsfan21/13789084574A federal district court judge in the District of Columbia last week granted a motion to suppress evidence obtained by a DHS Special Agent after a laptop was seized from a departing passenger at LAX and subsequently subjected to a comprehensive forensic search. Prosecutors attempted to defend the search as a routine border search which could be conducted without reasonable suspicion of any kind and without any warrant. The court held that the search was impermissible both because the government had no reasonable suspicion of “ongoing or imminent” criminal behavior and because the search was an extensive forensic search conducted away from the border after the passenger had long departed the country.

In the case at issue, the DHS had some evidence that the defendant, five years prior to the search, had shipped items to China knowing that they were going to be transshipped to Iran. When the investigating special agent learned that the defendant had traveled to the United States, the agent decided to have CBP seize the defendant’s laptop at LAX when he departed the country. The laptop was then shipped to San Diego where the hard drive was imaged. Specialized software was then used to search the contents of the hard drive. More than 20,000 files and a large number of emails were retrieved which, after review by the special agent, provided evidence of the Iran exports that occurred five years earlier. The special agent then applied for, and obtained, a search warrant seeking authority to seize those emails and documents which then served as a basis for the prosecution before the federal district court in the District of Columbia.

The Court’s decision that the search was unreasonable relied on a number of factors. First, the court noted that suspicion of prior criminal activity was not a reasonable suspicion that could support a warrantless search at the border. Such a search could only be justified on the basis of a suspicion of imminent or ongoing criminal activity, not past criminal activity, and there was no reason for the agent to suspect ongoing or imminent criminal activity. Instead he was just fishing for evidence of past criminal activity.

Second, the court distinguished the type of search that occurred from a routine border search that could be justified by reasonable suspicion of ongoing or imminent criminal activity. The court noted that the actual search occurred long after the passenger had departed and at hundreds of miles from the border where the laptop was seized. Additionally, it was a search of unlimited scope and unlimited duration. This, the court felt, was far different from opening and examining a passengers luggage or briefcase at the border for a search prior to departure.

The court also seemed troubled by misrepresentations made by the DHS Special Agent when he did finally apply for a warrant to seize the documents obtained from the defendant’s hard drive. The affidavit in support of the application for a warrant represented to the court that the warrant was needed to enable a search of the “mind-boggling” amount of data on the hard drive and that the extraction of the data “may take weeks or months.” In fact, this was all a charade (to use a polite term); all of the extraction had already occurred and no further searches of the hard drive were thereafter conducted by the DHS special agent or the government.

Although the court did not directly focus on this, another factor seems dispositive here. Warrantless searches are normally justified by some exigency for the search which makes it difficult to obtain a warrant in advance. In a typical border search, the luggage or briefcase being examined is about to leave the country and seeking a warrant before that departure would be impractical. Here, however, the government had the luxury of all the time in the world to image the hard drive and examine its contents. There is no possible reason as to why it was impractical to get a warrant before extracting the data and rifling through its contents.

Permalink Comments Off on Federal Court Strikes Down Warrantless Border Search in Iran Export Case

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)