ExportLawBlog

Jul

19

Why One of the Swapped Prisoners Did Not Return to Iran.

Posted by Clif Burns at 9:55 pm on July 19, 2017

ABOVE: Nima Golestaneh

In January 2016 the United States and Iran engaged in a prisoner swap. None of the freed prisoners returned to Iran, instead they all chose to remain in the United States, including Nima Golestaneh, the only Iranian national in the group. (The remainder were dual U.S.-Iranian citizens). Golestaneh, who had been nabbed in, and extradited from, Turkey, had been convicted of a scheme to hack into Arrow Tech in Vermont and send its ITAR-controlled software back to Iran.

Now we have a pretty good idea why he may have been selected for a pardon and why he decided that going back to Iran might not have been such a good idea. Yesterday, two Iranians, Mohammed Ajily and Mohammed Rezakhah were added by OFAC to the Specially Designated Nationals and Blocked Persons List (the “SDN List”) and the Department of Justice announced that an indictment against the two had been unsealed. The indictment reveals that Ajily and Rezakhah were Golestaneh’s co-conspirators in the hacking scheme, and it seems certain that Golestaneh made a deal and dropped the dime on Ajily and Rezakhah.

Both Ajily and Rezakhah are currently in Iran and probably have no current plans to visit Disneyland or anywhere else outside Iran. It’s also safe to assume that Golestaneh would not be welcomed with open arms should he turn up in Iran. In fact, that would be an instance of going from the frying pan (a U.S. jail) into the fire (an Iranian one).

The indictment details Golestaneh’s role in the hacking conspiracy. Apparently his job was to procure servers in Canada and the Netherlands. These enabled Rezakhah to download the Arrow Tech software without using an IP address from Iran, which likely would have been blocked by Arrow Tech. The software would not run without a hardware dongle from Arrow Tech, and Arrow Tech informed foreign customers that they would need an export license to obtain the dongle. That dongle not doubt contained the digital key needed to decrypt the program and allow it to run. It looks like Rezakhah hacked into Arrow Tech’s servers to obtain the digital key needed to decrypt the program.

Of course, it’s not just Rezakhah who has a problem in this scenario. If in fact, if Arrow Tech allowed foreign download of ITAR-controlled encrypted software without a license, that was arguably problematic. DDTC has taken the position that items are exported even if encrypted. And, if there is support for that position by DDTC, it can be found in this case, which demonstrates that there is always some possibility that the encryption willÂ be broken. (It now appears that Arrow Tech distributes the software only by optical media and not by download). One has to wonder if the failure of DDTC to adopt rules like those adopted by BIS which exempt encrypted items from the definition of export is, at least in part, the result of what happened in this case.

One other thing bears noting here, namely, the most amusing irrelevant statement ever put in a criminal indictment. For some reason, the indictment notes thatÂ Ajily, Rezakhah’s co-conspirator “received certificates of appreciation for his work from several of the Iranian government and military entities.” Â Seriously, he got certificates he could frame and hang on his office wall. Â Awesome. Â That was a clear violation of the law that forbids receiving certificates of appreciation from Iran. Â I have to imagine that this factoid comes from Golestaneh who, when he was singing to the DOJ, said something on the order ofÂ “AjilyÂ got certificates and all I got was this lousy jumpsuit.”

Permalink

Comments (1)

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

13

You Had Just One Job: BIS Spokesman Dodges Qatar Boycott Question

Posted by Clif Burns at 8:34 am on July 13, 2017

Category: Anti-Boycott • BIS

Port of Fujairah by Port of Fujairah via http://fujairahport.ae/wp-content/gallery/gallery/picture-521.jpg [Fair Use]

ABOVE:Port of Fujairah

Eugene Cotilli is the Media/Congressional Liason at the Department of Commerce and is the listed contact for inquiries relating to the Bureau of Industry and Security (“BIS”). Josh Lederman of the Associated Press contacted him to ask him whether the boycott against Qatar by Saudi Arabia, Bahrain, Egypt and the U.A.E. is an unsanctioned foreign boycott for purposes of the BIS anti-boycott rules that prohibit U.S. companies from complying with unsanctioned foreign boycotts. This blog has previously discussed this issue in this post.

This is a perfectly legitimate question. It is an important question because if the rules do apply and a U.S. company accepts a purchase order with an impermissible boycott clause, it is subject to a fine of $284,582 or twice the value of the transaction, whichever is greater. If the order with the impermissible clause is for $1 million worth of goods, the company accepting that order is liable for a civil penalty of $2 million dollars.

So, given the serious consequences of such a violation, Mr. Cotilli certainly provided useful guidance on this simple question, right? Here is his response: no comment. Right, he declined to answer Lederer’s simple and legitimate question. He didn’t even say, Â “I’ll find out and get back to you.”

Part of the purpose of this post is to shame bad government. But there’s another purpose as well. It’s to encourage you to download and save a copy of Josh Lederman’s article and put it in your files. Although the safe play with respect to the Qatar boycott is to treat it as an unsanctioned foreign boycott, as my previous post thought was the case, you might still get caught up in a violation because BIS’s antiboycott rules are ridiculously complex, profoundly unclear and preposterously confusing. You could, even with the best of intentions, run afoul of them because of some clause buried in a letter of credit. Cotilli’s refusal to answer a simple and direct question as to whether the Qatar boycott is covered by these rules may turn out toÂ be your best defense.

You’re welcome.

Permalink

Comments (1)

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

11

Don’t Believe Everything You Read in Blogs

Posted by Clif Burns at 5:54 pm on July 11, 2017

Category: BIS • DDTC

Road Warrior at LAX by Clif Burns A lawyer, without any apparent background in export law, recently decided to write a post on export law for “In House,” which bills itself as the “FindLaw Corporate Counsel Blog.” The purpose of the post, it would seem, is to frighten people traveling internationally with their laptops with the suggestion that they may well be greeted on their return trip by an arrest warrant if they don’t have an export license for their laptop. No, really, he actually says that

Traveling abroad? Don’t forget your passport, your laptop, and your export license.

Wh-what export license? Oh, maybe your company attorney didn’t tell you that your laptop requires an export license.

That’s right, the United States requires a license for certain technology and software going abroad.

What the FindLaw post, in order to maximize clickbait value, never reveals is that while technically true that some laptop exports require an export license due to software or technology on that laptop, there are broad license exceptions which mean that, as a practical matter, such licenses are almost never required. That’s what License Exceptions TMP and BAG and the exemption in section 125.4(b)(9) of the ITAR are for. These are, oddly enough, never even mentioned in the FindLaw blog post.

I discussed these provisionsÂ permitting laptops to be exported without a license recently in a post about whether a requirement to check laptops in the cabin holdÂ might mean that these provisions would no longer apply. As explained there, section 125.4(b)(9) and license exception BAG permit export of laptops (and any software or technology on them) accompanying passengers and for their personal use as long as the laptop is password protected. License exception TMP requires that the laptop remain in the effective control of the traveler. (The difference between BAG and TMP is that BAG applies to laptops owned by the traveler and TMP applies to company laptops taken on a business trip).

So, no, if you password protect that laptop and keep it with you on your travels, you’re not going to need a license just to take the laptop with you. (If you intend to transfer the laptop or give the technology or software to someone else in the foreign country, these exceptions won’t apply.)

This all goes to show that, with perhaps one exception, don’t believe everything you read on a blog!

Permalink

Comments (1)

Copyright © 2017 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)

Jul

6

A Boycott Is A Boycott Is A Boycott

Posted by Clif Burns at 6:06 pm on July 6, 2017

Category: Anti-Boycott • BIS

Port of Fujairah by Port of Fujairah via http://fujairahport.ae/?page_id=355 [Fair Use]

ABOVE:Port of Fujairah

As you probably know, various Arab countries, including Saudi Arabia, the U.A.E. and Egypt have imposed a boycott on Qatar, allegedly because of remarks that appeared on the Qatar News Agency’s website where Qatar emir Sheikh Tamim bin Hamad Al Thani called Iran an “Islamic power” and, even worse, said Qatar has “good” relations with Israel. Qatar claimsÂ that the Sheikh never said this and that the QNA website was hacked. U.S. intelligence officials have said that this was likely the work of Vladimir Putin and his band of merry hackers, who were hoping to create a rift among the United States and its Arab alliesÂ — something the hack may well have accomplished.

What you may not know is that the Port of Fujairah, in the United Arab Emirates, has just banned from the port all maritime traffic coming from or headed to Qatar. Now, how many of you immediately thought of the Bureau of Industry and Security’s Anti-Boycott rules when you (just) heard this? “Pshaw,” you say, “those rules only apply to the Arab League Boycott of Israel.” But in fact the Anti-Boycott Rules never even mention that boycott. By their terms, they apply to any “unsanctioned foreign boycott.” Even though the rules go into excruciating details on all matter of things, Â the term “unsanctioned foreign boycott” on which the whole byzantine edifice is constructed, is, oddly, never defined. Â Even so, you can be pretty sure that the boycott against U.S. ally Qatar is one of those “unsanctioned foreign boycotts.”

That being said, consider the following scenario. A customer in Fujairah, UAE, wants to buy from you $2 million worth of fidget spinners. The purchase order contains the following clause:

The shipping terms for the purchased goods are DDP Port of Fujairah (INCOTERMS 2010). The good may not be shipped on a Qatari-flagged vessel or on a vessel that visited, or is destined to visit, Qatar.

Can you accept the order?

The Anti-Boycott rules do provide some limited exceptions to permit compliance with shipping instructions of boycotting countries. Section 760.3(b)(1)(i) permits a U.S. person to comply with a prohibition of shipping the goods on a Qatari-flagged vessel. In addition, section 760.3(b)(2)(i) permits a U.S. person to agree not to ship the goods through Qatar. However, the exceptions only apply to requirements for “shipping goods to the boycotting country.” Any restrictions on where the ship calls after that shipment is complete and the goods are delivered to Fujairah would be a violation of the rules.

So there’s something else for you to worry about. You’re welcome.

Permalink

Jun

30

Jury Award for $60 Million Entered Against Transunion over SDN List Reports

Posted by Clif Burns at 4:49 pm on June 30, 2017

Category: OFAC • SDN List

On June 20, a federal jury awarded a $60 million damage verdict against mammoth credit reporting agency Transunion arising from the company’s misuse of the Office of Foreign Assets Control’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”) on credit reports. The plaintiffs in that case where individuals who were not on the SDN List but whom Transunion identified as such, resulting in adverse credit decisions for these individuals.

The class action lawsuit was based on a number of related violations of the federal Fair Credit Reporting Act and a similar California statute. Among the violations at issue were the provisions of section 1681(e) which requires credit bureaus to “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” The Third Circuit in Cortez v. Trans Union, 617 F.3d 688 (3d Cir. 2010), previously rejected Transunion’s efforts in that case to make the implausible argument that the SDN ListÂ information it supplied with respect to credit applicants was not part of their credit report.

In the current case, the complaint details the experience of one of the representative plaintiffs with Transunion’s OFAC reporting. That plaintiff, named Sergio L. Ramirez, had a car loan denied because his name was similar to two entries on the SDN List, namely, Sergio Humberto Ramirez Aguirre and Sergio Alberto Cedulo Ramirez Rivera. Not only were the names different, but also the birthdate for Plaintiff Ramirez, which Transunion had in its file on the plaintiff, was different from the birthdates listed in the entries for the two aforementioned SDNs.

OFAC has issued guidance about the use of the SDN List by credit bureaus:

The text on the report should explain that the individualâ€™s information is similar to the information of an individual on OFACâ€™s SDN list. It should not state that the information matches or that the credit applicant is in fact the individual on the SDN list unless the credit bureau has already verified that the person is indeed the SDN.

Even assuming that Transunion followed this guidance, which is not clear, it seems hard to justify transmitting the information to the car dealership when Transunion had information that clearly indicated the credit applicant was not either of the SDNs. It seems to me that credit bureaus can easily protect themselves from outcomes like the $60 million verdict by transmitting SDN information with a disclaimer but doing so only in cases where the credit bureau does not itself have information, such as birthdates, places of birth, etc., sufficient to resolve the potential hit.

Permalink

« Previous posts | Next posts »