Sep

13

Beware the Smiley Face!


Posted by at 6:06 pm on September 13, 2017
Category: Criminal PenaltiesIran SanctionsOFAC

Camellia George via http://blog.venmo.com/2015/10/20/introducing-camellia-george-kah-meel-ya-head-of-product-development-1 [Fair Use]
ABOVE: Parisa Mohamadi

A recently unsealed criminal complaint alleges that Parisa Mohamadi, an Iranian-born U.S. citizen, was responsible for exports of approximately $3 million of goods from the United States to Iran between 2010 and 2012. The fact pattern alleged in the indictment is a familiar one: the items, requested by Iranian buyers, were purchased by Mohamadi in the United States and shipped to a free zone company she incorporated in Dubai and then were transshipped to Iran from there.

Of course, there is no criminal violation without criminal intent. And in these transshipment fact patterns, where the shipment from the U.S. to Dubai would not require a license (if considered alone) and the shipment from Dubai to Iran was also one that was legal under UAE law, it is conceivable (indeed fairly likely) that the exporter may think that this shipment route is legal. (Remember we live in a country where 7 percent of the population believes that chocolate milk comes from brown cows.)

The criminal complaint understands this issue and tries to forward proof of Ms. Mohamadi’s criminal intent.  Truth be told, the government’s proof of criminal intent by Ms. Mohamadi can only be described as, well, completely whack-a-doodle.

The first “proof” cited by the complaint is this statement made by Mohamadi in an email:

I KNOW WHICH COUNTRIES ARE EMBARGO AND SANCTION AND WHICH COUNTRY WILL BE EMBARGO AND SANCTION, I AM AS SHIP OWNER, SO I KNOW HOW IS SHIPPING WORKS TO FIXED THE SHIPMENTS IN ADVANCE THUS DO NOT WORRY FOR THIS DELIVERY SCHEDULE, I NEVER SHOOT MY SELF.

The complaint adds a snarky footnote pointing out that the spelling mistakes and grammatical errors are those of Ms. Mohamadi alone and not an indication of any illiteracy on the part of the investigating DHS agent who signed the affidavit. This snark might have been justified but for the agent’s reference elsewhere in the complaint to an “I-Phone” (for iPhone) and multiple references to “U.S. Principal Party of Interest” (instead of “U.S. Principal Party in Interest”). Of course, nothing in this difficult-to-parse statement is inconsistent with a belief that the shipment was legal if it went through Dubai first.  As Ms. Mohamadi tried to make clear, she never shoots herself.

But the agent saved the best “proof” for last (with my bold and italics added):

Similarly, on November 1, 2011, Individual D from Iranian Business A emailed MOHAMADI: “How are you. I am at the sanction solution and money transfer conference in the university. So far I we doing it like no one does, very happy to be here, of course I am the youngest here, and and we do it like no one. That’s what separate us from the others.” MOHAMADI responded: “Good to hear that we are the best but off course in knew that already.” This was followed by three smiley faces.

The best I can tell the agent believes that the smiley faces are proof of criminal intent because nothing else in Mohamadi’s quoted statement about “being the best” even comes close. You might recall that FBI agents get specific training in smiley faces and their meaning, so I suppose DHS agents get that training as well.

And that’s it. That’s what the criminal complaint cites to prove that the defendant knew that shipping items from the U.S through a foreign company in Dubai to Iran was illegal:  three smiley faces and a desire not to shoot herself.  Maybe that’s why Ms. Mohamadi doesn’t have much of a smiley face in her mug shot.

Permalink Comments Off on Beware the Smiley Face!



Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Sep

11

Florida Imposes Its Own Embargo on Cuba


Posted by at 5:34 pm on September 11, 2017
Category: BISCuba SanctionsOFAC

Rick Scott Head Shot by Rick Scott [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/7Td7dc 2007 [cropped]Last week, before other things got in the way, Florida governor Rick Scott looked in the mirror and suddenly realized that he had been elected by the American voters to run the foreign policy of the United States. So, without further delay, Scott announced that Florida would cut off all state funding for any port that permitted traffic to Cuba. As a result, the ports in Everglades and Palm Beach cancelled memoranda of understanding that they were planning to sign with Cuban officials visiting the state.

Now, of course, we all understand that Governor Scott’s 8th grade civics class may not have covered some of the finer points of the U.S. Constitution, and we also understand that Cuba-bashing is a favorite sport for Florida politicians, but even a quick review of the Supreme’s Court’s decision in Crosby v. National Foreign Trade Council reveals the problems with the governor’s actions here. In Crosby, Massachusetts prohibited state agencies from buying goods from companies that did business with Burma. The Supreme Court held that the law was preempted by the Supremacy Clause of the United States Constitution. In doing so, the Court noted that the Massachusetts law interfered with the ability of the federal government to conduct foreign policy with respect to Burma. Central to that holding was the court’s finding that the Massachusetts law penalized companies for engaging in trade with Burma that was expressly permitted by the federal sanctions against Burma

Here, Governor Scott’s threat extends to all trade with Cuba, even if that trade is permitted by a specific or general license. So, to take a timely example, it is legal, under section 515.591 of the Cuban Assets Control Regulations and License Exception SCP of the Export Administration Regulations to export goods and services to Cuba to assist with rebuilding infrastructure damaged by Hurricane Irma. Yet, under the threatened action, if that relief is shipped through a Florida port, that port will be penalized by Florida. This does seem, shall we say, pretty ungrateful under the circumstances: Irma’s strength, and impact on Florida, was lessened by the time she spent wreaking havoc on the northern coast of Cuba. Florida ought to think of that before blocking aid to Cuba in rebuilding destroyed infrastructure.

Photo Credit: Rick Scott Head Shot by Rick Scott [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/7Td7dc 2007 [cropped]. Copyright 2007 Rick Scott

Permalink Comments (1)



Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

30

OFAC’s FAQs on Venezuela Sanctions Omit the Most Frequently Asked Question


Posted by at 11:49 pm on August 30, 2017
Category: OFACVenezuela

CITGO Gas Station by Mike Mozart [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/oMJJ6w [cropped]Last week the Office of Foreign Assets Control (“OFAC”) announced a set of new sanctions on Venezuela and it’s petroleum company Petroleos de Venezuela, S.A. (“PdVSA”) as set forth in the newly published Executive Order 13808. Under the Executive Order, U.S persons are prohibited from dealing in (1) new debt of the Government of Venezuela extended after August 24 with a maturity greater than 30 days, (2) new debt of PdVSA extended after August 25 with a maturity greater than 90 days, (3) bonds issued by the Government of Venezuela or (4) dividends or other profit distributions paid to the Government of Venezuela by entities owned by the Government of Venezuela. At the same time, it issued four general licenses authorizing, among other things, wind-down transactions, transactions involving CITGO and transactions involving agricultural commodities, medicine or medical devices.

The prohibitions on dealing in new debt closely parallel similar restrictions that OFAC imposed on certain Russian entities and, in fact, OFAC issued FAQs on the new Venezuela debt prohibitions that are identical to the FAQs on the Russian debt prohibitions. As a result, and once again, OFAC doesn’t answer in its FAQs what is in fact the most frequently asked question about new debt — namely, does new debt cover instances where PdVSA or the Government of Venezuela fails to pay for goods or services rendered within 30 or 90 days after the services are rendered or the goods are provided.

Certainly, it seems clear that it would be debt where the contract provides for and allows payment after these 30-day and 90-day periods as applicable. But suppose, you have a contract with PdVSA which provides for payment net 30. Does that become “new debt” with a maturity greater than 90 days when, on day 91, PdVSA fails to pay? And since the FAQs say that the prohibitions do not extend to debt extended prior to August 25, 2017, when was this debt extended if the goods or services were provided prior to August 25. Did that occur on Day 31? Or day 91? Given what appears to be the not uncommon practice of these two entities of not paying on time, these are not simply brain teasers that I have cooked up to tease the folks at OFAC.

Of course, it seems that there would be a good argument that an involuntary extension of debt in such a situation should not be covered, although nothing in the order or the FAQs makes this clear. If such involuntary extensions are included in the prohibitions, should the contracting party file a voluntary disclosure as soon as possible after PdVSA accounts receivable age out over 90 days? And even if involuntary extensions of debt are exempted, what does the party to the agreement with PdVSA or the Government of Venezuela have to do to prove that the extension of debt is involuntary. Sue? Withhold further services? Stop future deliveries? Send a nastygram from its lawyers demanding payment?

Rather than answer these questions, which, no doubt, large numbers of people with accounts receivable from PdVSA or the Government of Venezuela are asking at this very moment, OFAC’s FAQs dither around on the esoterica of, among other things, whether the new sanctions prohibit getting bank financing to purchase goods from PdVSA (no) or prohibit maintaining correspondent accounts for state-owned Venezuelan banks (no, as long as no debt of greater than 30 days is extended). This is all baffling and simply further evidence that the people at OFAC who administer these regulations have little idea of how business actually works.

Photo Credit: CITGO Gas Station by Mike Mozart [CC-BY-SA-2.0 (http://creativecommons.org/licenses/by-sa/2.0)], via Flickr https://flic.kr/p/oMJJ6w [cropped]. Copyright 2014 Mike Mozart

 

Permalink Comments Off on OFAC’s FAQs on Venezuela Sanctions Omit the Most Frequently Asked Question



Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

24

BIS Implements Wassenaar’s Note 4 Amendment: Accentuate the Positive


Posted by at 10:07 am on August 24, 2017
Category: BISEncryption

Maxwell Smart's Shoe Phone [Fair Use]Last week the Bureau of Industry and Security published a final rule implementing the changes adopted by the December 2016 Wassenaar Arrangements Plenary meeting.  Most of these changes are the usual nits and quibbles cooked up to justify a nice government-paid international trip by the delegates.  Like this:

The Heading of 1C608 is amended by adding double quotes around the defined term “energetic materials” …

The most interesting change, however, at least in my view, was the re-working of Note 4, which provides a broad exception to export controls on encryption.   Allegedly, the change wasn’t supposed to change anything, and BIS’s notes to the amendments say just that.   This, of course, would lead ordinary people to wonder why change something you don’t want to change, but, of course, I guess they felt guilty charging their governments for simply re-arranging semicolons, adding quotation marks and correcting spelling errors in the Wassenaar lists.

Part of the problem in the new, improved version is that it’s going to be harder to explain to clients.  Anyone who has spent much time dealing with software engineers on encryption export matters will immediately see the difficulties ahead.   (That means anyone who has had to argue with a software engineer that his program is still covered even though the encryption routines are called from the operating system.)  This post is intended to help you in that process (as well as to make fun of a note added to 5A002 by the amendment).

So, let’s take a quick trip down memory lane and now look at the text of the old Note 4.

Note 4: Category 5—Part 2 does not apply to items incorporating or using ‘‘cryptography’’ and meeting all of the following:
a. The primary function or set of functions is not any of the following:
1. “Information security”;
2. A computer, including operating systems, parts and components therefor;
3. Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
4. Networking (includes operation, administration, management and provisioning);
b. The cryptographic functionality is limited to supporting their primary function or set of functions. …

Under the new amendments, the idea is “the creation of positive text in 5A002.a to specify the items subject to control.” I bet the entire encryption world was anxiously awaiting that, don’t you? So, to create this, er, “positive text” subsections 1, 2 and 4 have been moved to the text of ECCN 5A002. Subsection 1 becomes 5A002.a.1, subsection 2 becomes a.3 and subsection 4 becomes a.2 as follows:

a. Designed or modified to use ‘cryptography for data confidentiality’ having ‘in excess of 56 bits of symmetric key length, or equivalent’, where that cryptographic capability is usable without ‘‘cryptographic activation’’ or has been activated, as follows:
a.1. Items having ‘‘information security’’ as a primary function;
a.2. Digital communication or networking systems, equipment or components, not specified in paragraph 5A002.a.1;
a.3. Computers, other items having information storage or processing as a primary function, and components therefor, not specified in paragraphs 5A002.a.1 or .a.2

And, if you look closely, you can see that part of 3 was slipped into a.3 when it references items having “information storage” as a primary function. (Operating systems now get caught in 5D002.a.1 which controls software for the use of computers described in 5A002.a.3).

But what about items with the primary purpose of sending and receiving information? In the software context, this meant, for example, email and FTP programs, which were not considered eligible for the Note 4 exemption. You have to assume that is now captured by a.2, which talks not just about networking but also about “digital communication.”

That leaves subsection b on Note 4, which, frankly, never seemed to apply to much of anything. That now becomes a.4:

Items, not specified in paragraphs 5A002.a.1 to a.3, where the ‘cryptography for data confidentiality’ having ‘in excess of 56
bits of symmetric key length, or equivalent’ meets all of the following:
a.4.a. It supports a non-primary function of the item; and
a.4.b. It is performed by incorporated equipment or ‘‘software’’ that would, as a standalone item, be specified by ECCNs 5A002, 5A003, 5A004, 5B002 or 5D002.

Because it’s not clear what exactly such an item would be, the amendment adds a not very helpful note, in the theme of creating “positive text,” to the new 5A002 to give examples of some items that are not 5A002.a.4. Here’s one:

An automobile where the only ‘cryptography for data confidentiality’ ‘in excess of 56 bits of symmetric key length, or equivalent’ is performed by a Category 5—Part 2 Note 3 eligible mobile telephone that is built into the car. In this case, secure phone communications support a non-primary function of the automobile but the mobile telephone (equipment), as a standalone item, is not controlled by ECCN 5A002 because it is excluded by the Cryptography Note (Note 3)

Okay, I’m going to say it: what century do the plenary delegates live in? Did they all travel in a time machine from 1980 to Wassenaar? Mobile phones built into cars?

So while we’re engaged in time travel, here’s an example of something that would be caught by 5A002.a.4: Maxwell Smart’s shoe phone. Of course, I’m assuming that like any good phone it incorporates non-standard cryptography. The principal purpose of the shoe is, of course, walking and the cryptography supports its non-primary function of talking. So there.

Permalink Comments (6)



Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)



Aug

15

OFAC Repeals, IPSA Facto, Iran General License H.


Posted by at 6:29 pm on August 15, 2017
Category: GeneralIran SanctionsOFAC

IPSA Phoenix Office via Google Maps [Fair Use]
ABOVE: IPSA Phoenix Office

Last Thursday, the Office of Foreign Assets Control (“OFAC”) announced that IPSA International had agreed to pay a fine of  $259,200 to settle charges that it violated the Iranian Transactions and Sanctions Regulations (“ITSR”)  in connection with background investigations conducted on Iranian nationals by IPSA’s foreign subsidiaries.  In order to support the charges against IPSA, OFAC unnecessarily concocted a theory which effectively repeals Iran General License H and substantially increases the risk that U.S. companies will be fined for what had previously thought to be legal activities by foreign subsidiaries involving Iran.

At issue are two contracts entered into by IPSA: one with a foreign government (“Contract #1”) and the other by IPSA’s Canadian subsidiary with a foreign government-owned financial institution (“Contract #2).  Both contracts required background checks on various individuals, some of whom were in Iran.   Those background checks, including the ones in Iran, were conducted not by IPSA but by its Canadian subsidiary and another subsidiary in Dubai.  OFAC concedes that both subsidiaries “managed and performed” the background investigation contracts involving the Iranian nationals.  Significantly, OFAC does not allege or claim that the results of these investigations were ever communicated by either foreign subsidiary to IPSA in the United States.   Nevertheless, OFAC claims the conduct of these investigations in Iran constituted a violation of the ITSR.

In the case of Contract # 2, OFAC alleges that IPSA violated the prohibition against facilitation in section 560.208 of the ITSR when it “reviewed, approved, and initiated the foreign subsidiaries’ payments to providers of the Iranian-origin services.”  That, if true, would make out a fairly clear-cut facilitation violation by IPSA.

Things get problematic, however, in the case of Contract #1. OFAC asserts that in that case  IPSA imported Iranian-origin services into the United States in violation of section 560.201 of the ITSR.  This was not because the results of the background checks were communicated to IPSA in the United States because, as we’ve noted, OFAC has not alleged that occurred.  It was because the background checks in Iran were conducted “for the benefit of” IPSA.

This is a troubling rationale because everything done by foreign-incorporated subsidiary of a U.S is company is “for the benefit” of the parent company in the United States.    Under this benefit theory, General License H, which permits certain activities by foreign subsidiaries, is completely eviscerated.  IPSA’s  signing and entering into the contract performed by the subsidiaries clearly facilitated those activities in violation of section 560.208 of the ITSR, so there was no need to suggest a violation based on a benefit theory.  It is unclear why OFAC would have chosen in the case of Contract #1 to argue importation of services under a benefit theory rather than facilitation unless it intended to create uncertainty about the proper scope of General License H.

 

 

Permalink Comments (2)



Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts | Next posts »