Archive for June, 2015


Jun

17

How To Go To Jail Right Now: A Gothamist Primer


Posted by at 9:55 pm on June 17, 2015
Category: Cuba SanctionsOFAC

Cuba - Havana - Car by Didier Baertschiger [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/didierbaertschiger/11785935544[cropped]

Popular local website group Gothamist (which is also responsible for DCist, LAist, Chicagoist, and others) ran on its websites today the intriguingly titled: “How To Go To Cuba Right Now: A Travel Primer.”  You can guess what I think of that article by my title for this post: “How To Go To Jail Right Now: A Gothamist Primer.”

The Primer is authored by Tod Seelie, who appears to be a talented photographer, who describes his trip to Cuba.  He said he wanted to go to see the old cars, the crumbling buildings and the beaches.  Wondering if it was as “easy as buying a ticket online,” he bought a ticket from a website.  He notes he “checked ‘journalistic activity,’ though my visa ultimately identified me only as a tourist.”  And he was off.

The rest of his story details how to get an AirBNB room, the different currencies for locals and tourists, the drinkability of the water, the cost of cabs, the absence of soap in bathrooms,  the skimpy miniskirts worn by Cuban customs agents, and how hard it was for him to understand Cuban Spanish because they drop their s’s at the end of words. Finally, he noted that on the way back from what appeared to be more a vacation than anything else, the only question he was asked by the CBP agent was “Did you have fun?”

Nowhere in the article does Seelie do anything to rebut the likely assumption by his readers that anybody who wants to bop around Old Havana for a weekend getaway can just book an online ticket, sign on to AirBNB to book a room, stuff a moneybelt with cash and head off for sun and mojitos. As readers of this blog know, but readers of blogs in the Gothamist empire probably won’t know, you can’t just go to Cuba as a tourist. You have to go for one of the permitted reasons set forth in the regulations.

What about Mr. Seelie? Did he break the rules? Well, he has a colorable case that he is a journalist, since the regulations include in the definition in section 515.563 “a freelance journalist with a record of previous journalistic experience working on a freelance journalistic project.” Mr. Seelie’s bio suggests he’s published some pictures in some newspapers so we’ll give him this. But, but, but, there’s this in the rules:

The traveler’s schedule of activities does not include free time or recreation in excess of that consistent with a full-time schedule.

You be the judge whether Mr. Seelie was in Cuba for full-time journalism and incidental fun or full-time fun and incidental journalism.

UPDATE:  The article in Gothamist was written by Lauren Evans; Mr. Seelie accompanied her to Cuba to take photographs.  Although Ms. Evans clearly fits, in my view, the definition of a journalist under section 515.563, she still leaves the impression that anyone can hop on a plane and go to Cuba, which, of course, is dead wrong and can lead to an unpleasant encounter with OFAC.  And the question still remains whether she, in addition to Mr. Seelie, was there for full time journalism and incidental fun or full-time fun and incidental journalism.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

16

BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons


Posted by at 9:16 pm on June 16, 2015
Category: BISCyber Weapons

Photo: Harland Quarrington/MOD [see page for license], via Wikimedia Commons http://commons.wikimedia.org/wiki/File%3ACyber_Security_at_the_Min istry_of_Defence_MOD_45153616.jpgAfter the uproar generated by the proposed amendments to the Export Administration Regulations to implement the Wassenaar Arrangement’s rules controlling “intrusion software,” the Bureau of Industry and Security (“BIS”) tried to calm things down by issuing some FAQs on the proposed rules. Sadly, I don’t think these FAQs are as helpful as BIS apparently thinks that they might be.

To understand the difficulty here, let’s focus on the problem I discussed in this post indicating that the new controls could reach auto-updaters, like the one in Chrome, that bypass operating system protections designed to prevent installation of new software without user interaction. The FAQs now say explicitly that auto-updaters are not covered. That is a good thing, and you (that means you, Google) can take that statement to the bank.

But the reasoning that BIS uses to reach this conclusion is dicey at best. Here it is:

Does the rule capture auto-updaters and anti-virus software?

No. Software that permits automatic updates and anti-virus tools are not described in proposed ECCN 4D004. ECCN 4D004 software must be specially designed or modified for the generation, operation or delivery of, of communication with, “intrusion software,” which is separately defined. Software that automatically updates itself and anti-virus software may take steps to defeat protective countermeasures, but they are not generating, operating, delivering, or communicating with “intrusion software”.

The problem with this analysis starts with the fact that BIS admits that an auto-updater is “intrusion software.” That’s an inescapable conclusion, of course, because the auto-updater overides operating system requirements that require user interaction to install new programs and does so to modify system data by installing the new program. But, we are told by BIS, the auto-updater doesn’t generate, operate, deliver, or communicate with “intrusion software.” Well, that might make sense if the auto-updater is a cyber-version of parthenogenesis and pops into existence completely unaided. That, of course, is nonsense. Some program, either the auto-updater itself or some other lines of code in the programbeing updated have to be specially designed to operate, deliver or communicate with the auto-updater for it to work at all. And so that code, either as part of the updater or the program itself, is covered by the ECCN. In short, an auto-updater unless accompanied by a program covered by the new ECCN is useless and will not work at all.

The problem here is unavoidable because of the EAR’s broad definition of program:

A sequence of instructions to carry out a process in, or convertible into, a form executable by an electronic computer

The lines of code in Chrome that deliver the auto-updater are, without question, a sequence of instructions convertible in a form executable by a computer, i.e. a program, specially designed to deliver other lines of code to defeat operating system protections requiring user interaction before modifying system data. If Chrome is exported with those lines of code that deliver the auto-updater it needs a license; if those lines of code are stripped from Chrome, it can be exported but it will not auto-update.

Of course, BIS has made it clear that it does not think auto-updaters are covered, so I don’t think Google needs to worry about violating the law. Unfortunately, the reasoning that BIS used to reach this conclusion is nonsense.

Permalink Comments Off on BIS Cybersecurity FAQs Reach the Right Result for All the Wrong Reasons

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

10

The District of Columbia? Is That Somewhere in South America?


Posted by at 11:59 pm on June 10, 2015
Category: BIS

African American Civil War Memorial Metro Stop by Clif Burns via Flickr https://www.flickr.com/photos/clif_burns/12398814043/ [with permission]Those of us who live in the District of Columbia are used to, if not content with, the routine indignities imposed on us as residents of that tiny square of reclaimed swamp land sandwiched in between Virginia and Maryland.   Like convicted felons, we can’t vote for anyone in Congress.  Like third-world dictatorships, any laws enacted by our city council cannot go into effect unless approved by our unelected overlords in Congress.  When trying to book a hotel or buy a gadget over the Internet, we find we can’t fill out the order form because the District of Columbia, which is not a state, is not listed in the drop-down list of states.   When traveling, we can be denied boarding flights because some TSA agent decided that a D.C. drivers license isn’t a state-issued ID.

So kudos to the Bureau of Industry and Security (“BIS”) for, at last, recognizing that the District of Columbia exists, as it finally did in the recently proposed amendment to the definitions in the Export Administration Regulations.  Currently, section 734.2(b)(8) of the EAR says this:

Export or reexport of items subject to the EAR does not include shipments among any of the states of the United States, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States. These destinations are listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census

Take a look at Schedule C which defines those territories, dependencies and possessions of the United States that are not exports, and you will see Puerto Rico, the Virgin Islands, Guam, American Samoa, Northern Mariana Islands, and the United States Minor Outlying Islands. Conspicuously missing from the list is the District of Columbia.

The proposed amendments add a new section 734.18(a)(3) which says this:

Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the
Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

Now that may be good news for us in the District of Columbia, but it’s bad news for anyone who has ever shipped an item on the Commerce Control List, such as a cattle prod, into the District of Columbia in the past five years. Anyone who did that has violated U.S. export laws because the District of Columbia is not a state and it’s not listed in Schedule C. It’s a foreign destination under current rules. You could go to jail. You could be fined $250,000 for each such export by BIS. You could have your export privileges denied. So, folks, get those voluntary disclosures in before you find a team of ICE agents in your offices carting off all your computers and interrogating all your employees.

Permalink Comments (1)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

9

OFAC Announces Travel Ban to Iran


Posted by at 3:22 pm on June 9, 2015
Category: Iran SanctionsOFAC

Imam Khomeini by Kaymar Adl [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/kamshots/515002010/ [cropped]Okay, yes, the headline is clickbait, but it’s also not too far from the truth. (Unlike typical clickbait — such as “Four Foods You Eat That Are Poisonous: Number 4 Will Really Surprise You” or “Twelve Really Famous Movie Stars With Really Bad Teeth” — which is largely untrue.) The basis for this (slightly) sensationalized headline is something an official from the Office of Foreign Assets Control (“OFAC”) said yesterday at the meeting here in DC of the Association of University Export Control Officers.

During a Q&A period, an audience member posed three scenarios and asked which ones, if any, would require an OFAC license. Scenario 1: a faculty member goes to Tehran to attend an open conference and presents a paper in collaboration with Iranian professors that is intended to be published. Scenario 2: a faculty member goes to Tehran to attend the same open conference and reads an already published paper and answers no questions from the audience. Scenario 3: a faculty member goes to Tehran to attend the conference and does nothing but listen.

Easy, said the OFAC representative. (And the answer will really surprise you.) “All three require a license. Merely attending the conference is the provision of a service in Iran.”

By that logic, of course, all travel to Iran is banned. If you go to Iran to see your relatives, you’re providing a service in Iran to your relatives. If you go to Iran to write a story on contemporary Iranian youth, you’re providing a service to contemporary youth in Iran. If you go to Iran to ski, you’re providing a service to Iranian ski resorts. If you go as a tourist and give a fellow tourist directions, you’re providing a service in Iran to your fellow tourist.

Okay, I’m being somewhat unfair. Not all travel is banned to Iran. If you are a penniless, uneducated vagrant unable to speak, hear or otherwise communicate, you can go to Iran without a license. Bon voyage.

Permalink Comments (4)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jun

4

Once Upon a Time in a Public Domain Far, Far Away


Posted by at 9:19 pm on June 4, 2015
Category: DDTCTechnical Data Export

England's Oldest Working Catapult by Thoms Euler [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://www.flickr.com/photos/thomaseuler/3656736595/ [cropped]Once upon a time, and long before the Internet, in a distant and dank corner of Washington, D.C., there lived an obscure agency called the Directorate of Defense Trade Controls (“DDTC”), which, among other things, kept watch, like a jealous dragon, over certain types of information that it believed it was destined to protect, information such as how to build a catapult or the best timber to use for a battering ram or the deadliest method for swinging a mace at an enemy. And it sent out a decree, far and wide, that anyone who should dare to disseminate such information without its permission, except in locked rooms with less than three other citizens present between the hours of midnight and dawn, would be sentenced to immediate gibbeting. Fortunately, there was no Internet, so few, in those days, were seen hanging in cages in Foggy Bottom.

Of course, this little fairy tale is a preface to the recent release by DDTC of proposed revised definitions of, among other things, the term “public domain” which, as you might imagine, does not mean to DDTC what it means to anyone else who speaks English. The proposed new definition seems to have been written by people who have heard of the Internet only as something the kids use to tweet things and post selfies.

The importance of the definition of “public domain” is that information about defense articles (like muskets and missiles) is not subject to export controls if it is in the “public domain” as defined in section 120.11 of the International Traffic in Arms Regulations (the “ITAR”). DDTC has previously taken the position that pictures on the Internet were not “public domain” because section 120.11 does not specifically mention the Internet. (Never mind, of course, that the definition includes information available “[a]t libraries open to the public” and that every single library in the United States, save apparently for the one at DDTC, has Internet terminals.)

The newly proposed rules, coming more than twenty years after the appearance of the World Wide Web, finally (and grudgingly) acknowledges the existence of the Internet.  The new definition would define “public domain” to include information made available to the public through

Public dissemination (i.e.,unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public;

Before you get to excited, however, there’s this: an exception that eats up the entire definition from any practical point of view.

(b) Technical data or software, whether or not developed with government funding, is not in the public domain if it has been made available to the public without authorization from:

(1) The Directorate of Defense Trade Controls;

(2) The Department of Defense’s Office of Security Review;

(3) The relevant U.S. government contracting entity with authority to allow the technical data or software to be made available to the public; or

(4) Another U.S. government official with authority to allow the technical data or software to be made available to the public.

So, you see a picture of a fighter jet on the Internet. Is it “public domain” or not?  Will you get in trouble for re-posting it? Well, you have no idea because you have no way of knowing whether any official falling in the four categories above has authorized it to be posted. You probably can’t even tell who falls in category (3) or (4). In fact, nobody can probably tell which government officials fall in those categories.

DDTC attempts to address this issue with a note saying that if somebody else put the information on the Internet you are not breaking the law unless you “know” that they did so without authority.  But does “know” mean actual knowledge or does it slide, like it often does, into not engaging in due diligence to determine that it was authorized?  Your guess is as good as mine.   So use the Internet at your own risk, unless you’re just posting selfies on Instagram.

For companies in the defense industry, this proposed definition is equally problematic if they use the Internet at all.  Every time they post information on their own products, thinking that the information they are posting is already in the “public domain,” they need to ask permission from DDTC if they haven’t already done so.  And, of course, since there are no time limits in the proposed definition, this issue would exist for everything the company has ever posted on the Internet.

Dark times for the Internet ahead when (and if, as is likely) this new definition goes into effect.

 

Permalink Comments (3)

Bookmark and Share


Copyright © 2015 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)