Jun

11

DDTC Deflates Cloud Puffery

Posted by at 5:25 pm on June 11, 2014
Category: DDTCDeemed ExportsEncryption

Lonely Cloud by Kate Haskell https://www.flickr.com/photos/fuzzcat/32487111/ CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.

Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.

So earlier this month, you might have been surprised to see this press release from Perspecsys:

Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).

In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.

Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.

Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.

DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century.  So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.

All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?

[Thanks to an alert reader who pointed out the two press releases to me!]

Permalink Comments (2)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Jun

10

Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports

Posted by at 6:19 pm on June 10, 2014
Category: DDTCPart 122

By Spc. Jeffery Sandstrum via http://usarmy.vo.llnwd.net/e2/-images/2007/11/01/9792/ [Public Domain]Carlos Dominguez and his Madrid-based company Elint SA have been administratively debarred by the Directorate of Defense Trade Controls in connection with his unauthorized re-exports and re-transfers of night vision equipment shipped to him from the United States pursuant to DDTC licenses. The unauthorized re-exports and re-transfers were discovered by so-called Blue Lantern checks conducted by foreign embassy staff at the request of the DDTC to determine the ultimate disposition of items exported from the United States pursuant to DDTC licenses. (Interestingly, the cables requesting the Blue Lantern transfers had been previously disclosed when they were leaked by WikiLeaks.)

As a result of the unfavorable Blue Lantern checks, DDTC first imposed in 2009 a policy of denial on Dominguez and Elint. In 2010, DDTC followed up by sending a directed disclosure demand to Elint and Dominguez. A directed disclosure is a DDTC demand that the recipient investigate its export practices and provide to DDTC a list of all its export violations, a request that Dominguez and Elint not surprisingly ignored. A charging letter followed, also ignored, which led to a finding of default by an administrative law judge and the instant order of debarment.

Although section 127.7 of the ITAR specifies that such administrative debarments are “generally” for a period of three years, the order against Dominguez and Elint mentions no time period and is, presumably, permanent. It is safe to say that DDTC is not amused with Dominguez, and this appears to be in large part because of considerable evidence alleged by DDTC that Dominguez tried to evade the policy of denial by setting up shell companies and acting through third parties.

Interestingly, DDTC claims that it has the authority to issue “directed disclosures” under section 122.5(b) of the ITAR, which is, at best, a rather fanciful construction of that section. That section requires that records “maintained” under section 122.5 must be made available to DDTC, but says nothing about any obligation to create new records at the request of DDTC and then provide them. More interestingly, section 122.5 applies to “persons required to register” under Part 122. That obligation is imposed on persons who engage “in the United States in the business of manufacturing or exporting” defense articles. That, of course, does not cover foreign end users of U.S. exports, so it is not at all clear how DDTC can justify issuing the directed disclosure to Dominguez under section 122.5(b).

Permalink Comments Off on Spanish Night Vision Dealer Debarred for Unauthorized Re-Exports



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Jun

5

Beat the Fokkers

Posted by at 9:32 pm on June 5, 2014
Category: Criminal PenaltiesIran SanctionsOFAC

Fokker Services Building in Hoofddorp via http://www.fokker.com/sites/default/files/styles/carousel_innovations/public/media/Images/Services/Contact_Fokker_Services_Location_Hoofddorp_637x286.jpg?itok=NYP0cc2k [Fair Use]The Office of Foreign Assets Control (“OFAC”) announced today that a $21 million fine had been extracted from the Dutch company Fokker Services BV in connection with its export of U.S. origin spare aircraft parts from the Netherlands to Iran and Sudan. The re-exports to Iran and Sudan by a Dutch company were prohibited under section 560.205 of the Iran regulations and section 538.507(b) of the Sudan regulations because the aircraft parts were presumably ECCN 9A991, although this fact is not expressly stated.

Half of the $21 million dollars is being paid in connection with a deferred prosecution agreement with the U.S. Attorney for the District of Columbia. This is disturbing because the OFAC announcement makes clear that the exports were voluntarily disclosed by Fokker to OFAC. One of the major incentives for a voluntary disclosure is to avoid criminal prosecution. After the Fokker case, people are certainly going to think twice about making a voluntary disclosure.

Nothing in OFAC’s description of the reasons for the penalty justify turning a voluntary disclosure into a criminal prosecution. OFAC describes the violation as “wilful and reckless” because Fokker knew that these were U.S. origin parts. Note that there is no claim that Fokker knew that its export of these parts from the Netherlands to the embargoed countries was a violation of U.S. law, only that it knew that the parts were U.S. origin. Foreign persons might well not understand that exports of U.S. origin parts from their own country and in compliance with their own laws would be illegal, so OFAC is making an unjustifiable leap from knowledge of the parts’ origin to a “wilful and reckless” violation of law. Another aggravating factor was the absence of a U.S. sanctions compliance program at the Dutch company, again hardly a sound reason for turning a voluntary disclosure into a criminal prosecution.

Permalink Comments (4)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


Jun

4

ITAR Registration Puffery: XAND Raises the Bar

Posted by at 6:38 pm on June 4, 2014
Category: Part 122

XAND Date Center via http://www.xand.com/assets/MG_2226_Low-1024x668.jpg [Fair Use]An ongoing feature of this blog has been, for some time, to highlight ITAR registration press releases where companies breathlessly announce their registration under part 122 of the ITAR as if it were equivalent to having been awarded the Nobel Peace Price, an Oscar, and three Michelin stars on the same day when in fact the State Department routinely hands out Part 122 registration to anyone who can figure out how to fill out a short form, write a check for the registration fee and send both to Washington. Once the check clears, a registration is issued by DDTC without so much as even looking at the registrant’s elevator certificates and corporate cafeteria lunch menu.

So when a friend of the blog pointed out a press release headlined “Xand Earns International Traffic in Arms Regulations (ITAR) Compliance from U.S. Department of State,” it was clear that we had a moral obligation to bring to our readers the latest and greatest in marketing department hyperbole.

Xand, the Northeast’s premier provider of cloud, managed services, colocation and disaster recovery announced today the successful completion of all regulatory requirements required to attain International Traffic in Arms Regulations (ITAR) registration and compliance from the U.S. Department of State, a unique distinction among infrastructure service providers.

Okay, so maybe the “regulatory requirements” meant by Xand were filling out the form and sending the check. Well, you might think that until you see what the company’s Chief Security Officer had to say:

We selected data center facilities in Pennsylvania, New York, and Massachusetts to undergo thorough and exhaustive compliance testing to meet the critical standards of the U.S. Department of State. The end result allows Xand to provide clients with unmatched geographic diversity and redundancy options when it comes to housing, storing, and protecting the data and technology infrastructure needed to power the critically important work of the defense industry.

It seems to me that the State Department ought to tell people that it will revoke the registration of anyone who so fundamentally misunderstands the ITAR as to suggest in public that registration is the result of compliance testing and constitutes a certification that the registrant is compliant.

One other interesting point here is to try to figure out why Xand needed registration in the first place. Registration is required for parties that manufacture items on the USML and for those that export goods or technical data on the USML. Frankly, I’m baffled how a domestic cloud and colocation service provider does either of those things even if it has customers that manufacture or export USML items. Anyone have any thoughts on this?

Permalink Comments (4)



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


May

30

Having Baggage Is Not A Crime

Posted by at 5:10 pm on May 30, 2014
Category: Criminal PenaltiesDoJEconomic SanctionsIran SanctionsSanctions

Please Report Any Unattended Luggage by Kenneth Lu https://www.flickr.com/photos/toasty/2619866851/in/photolist-DLUFQ-5z9X21-K3Ta2-4Zvv98-JHpPQ-AEW4c CC BY 2.0 [https://creativecommons.org/licenses/by/2.0/] (cropped)

A federal jury in Ft. Lauderdale, Florida recently acquitted Patrick Campbell on charges that alleged he attempted and conspired to violate U.S. economic sanctions against Iran.  As we reported at the time of his arrest last year, Campbell, who is from Sierra Leone, was detained at JFK Airport as soon as he cleared customs and was found to have uranium inside shoes packed in his luggage.  Prior to his U.S. arrival (and immediate arrest), according to the government, Campbell had been communicating with an undercover ICE agent in Ft. Lauderdale in order to arrange the sale of uranium from Sierra Leone to Iran.

We surmised at the time of his initial charging that Campbell had arguably done nothing in the United States that constituted an attempt or conspiracy to commit a U.S. sanctions violation simply by entering the United States.  Because the Iran Transactions and Sanctions Regulations cover only exports from the United States (which this was not) or exports by a U.S. person (which Campbell was only by virtue of being physically present in the United States), he could only be convicted for what he actually did while in the United States.  The Justice Department tested those boundaries, and a jury wasn’t convinced.  A great deal of credit should be given to Campbell’s attorney, Richard Serafini.

We spoke with Mr. Serafini about the case and the arguments he made to the jury in Campbell’s defense.  Mr. Serafini said that he emphasized to the jury that the Justice Department had not shown beyond a reasonable doubt that Campbell had done anything with the specific intent to violate U.S. sanctions.  In addition, he said that he told the jury that Campbell should not be considered to have committed any criminal acts as a U.S. person simply because he was lured to enter the United States by law enforcement.  Mr. Serafini said that he finally impressed upon the jury that, regardless of any criminal act that may have been committed, Campbell had been entrapped by the ICE agent to do so.

While no one can know what may have led the jury to acquit, it is certainly noteworthy that one or more of those arguments possibly resonated with jurors.  The jury instructions shed a little more light in that the court explained an attempt must be “more than simply preparing” and have a “substantial step … that would normally result in committing the offence.”  What did Campbell do in the United States to meet that requirement?  Having uranium in your luggage could be seen by a jury as “simply preparing.”  As for conspiracy, the jury rightfully asked the court during deliberation whether the undercover agent could be part of the conspiracy.  The court responded simply, “No, a government agent cannot be a co-conspirator.”  In sum, it looks like the facts didn’t fit the crime and a well-marshaled defense portrayed that.

In so far as Campbell’s case has a bearing on subsequent sanctions prosecutions, we may have been clairvoyant in our warning last September:

As the stretch of sanctions includes more foreign individuals and their subsequent imprisonment, the United States may find itself retreating from expanding prosecution after a successful defense or even international criticism that U.S. sanctions as so applied are too attenuated for a reasonable interpretation of the sanctions’ purpose or the laws themselves.

Campbell’s acquittal sends the Justice Department back to the drawing board to reconsider future prosecutions based on undercover operations targeting foreign persons and inviting them to the United States for their unbeknownst arrest.  As we reported in the case of a Russian caught up a similar operation last year, the resulting arrest stirred U.S.-Russian diplomatic waters and resulted in his return to Russia after pleading guilty.  Be careful what you do on the Internet, and that goes for the government too.

Permalink Comments Off on Having Baggage Is Not A Crime



Copyright © 2014 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)


« Previous posts | Next posts »