Archive for the ‘Information Technology’ Category

BIS Adds New Controls in the CCL on Integrated Circuits, Helicopter Landing Systems Radars, Seismic Detection Systems and Technology for IR Up-Conversion Devices

Monday, November 24th, 2014 by Brooke Driver

Source: Federal Register

The Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) to impose foreign policy controls on read-out integrated circuits and related “software” and “technology,” radar for helicopter autonomous landing systems, seismic intrusion detection systems and related “software” and “technology”, and “technology” “required” for the “development” or “production” of specified infrared up-conversion devices.

The read-out integrated circuits and related “technology” are controlled under new Export Control Classification Numbers (ECCNs) on the Commerce Control List. An existing ECCN has been amended to control the related “software” for those items.

New paragraphs have been added to certain existing ECCNs to control radar for helicopter autonomous landing systems, seismic intrusion detection systems, and the “technology,” as mentioned, for specified infrared up-conversion devices. Specified existing “software” and “technology” ECCNs have been amended to apply to helicopter autonomous landing systems and seismic intrusion detection systems.

The items are controlled for regional stability reasons Column 1 (RS Column 1) and Column 2 (RS Column 2), and antiterrorism reasons Column 1 (AT Column 1).  For more information, go to http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr66288.

 

BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules—Really?

Monday, November 24th, 2014 by Brooke Driver

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large U.S. company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

  • Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.
  • The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.
  • The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.
  • BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.
  • The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the U.S. is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (U.S., France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes, affecting “cyber security” products, agreed to at the December 2013 plenary – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the U.S.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit, I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the U.S. Government still has the power to regulate which technologies are deployed internationally.

BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules–Really?

Friday, October 24th, 2014 by Brooke Driver

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS last week, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large US company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

*    Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.

*    The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.

*    The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.

*    BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.

*    The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the US is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (US, France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes agreed to at the December 2013 plenary affecting “cyber security” products – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the US.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and I get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the US Government still has the power to regulate which technologies are deployed internationally.

Satellites and Spacecraft Shift from USML to CCL: The Circle is Now Complete

Wednesday, July 16th, 2014 by Brooke Driver

By: John Black

“I’ve been waiting for you, Obi-Wan. We meet again, at last. The circle is now complete.” –Darth Vader, Star Wars

Darth Vader’s reign ended; so too has the ITAR controls on many commercial communication satellites.

Some of us remember when commercial satellite export controls moved from the ITAR to the EAR in 1996. Soon after that came the Loral and Hughes case, which resulted in millions in penalties for transferring technology to the Chinese to help them figure out why a Chinese Long March rocket carrying a US satellite crashed. (The primary violations in that case were related to the transfer of rocket technology, not the transfer of satellite technology.) Then, in 1998, Congress passed the FY 1999 National Defense Authorization Act that transferred export control jurisdiction of commercial satellites from the flexible, exporter-friendly EAR to the rigid, exporter-unfriendly ITAR.

Now, the US Government has decided to change satellite spacecraft controls so that the USML controls only the most sensitive satellites/spacecraft and related items, while shifting the less sensitive items to the CCL. Importantly, the revised USML Category XV uses performance capabilities and functions as the basis for defining which items warrant ITAR export controls-Category XV does not focus on whether the item is designed for military or commercial applications. So, in some cases, the new Category XV will not control certain satellites designed for the military, and it will control satellites designed for commercial applications. It is not important who you designed it for or who is going to use it. The important decisive factors are capabilities and functions.

(Please do not use the words “military” or “commercial” for describing what is and is not in Category XV. That type of loose and inaccurate description of the post-Export Control Reform (ECR) USML is rapidly becoming one of my biggest pet peeves.)

In the May 13, 2014 Federal Register, the departments of Commerce and State published notices shifting a wide range of satellites/spacecraft and related items off the US Munitions List (USML) and on to the Commerce Control List. And, as we have seen in past ECR list shifts, when things shift off the USML, the Commerce Department creates new ECCNs in the Commerce Control List to impose CCL-controls on the shifted items. Past reform list shifted items have gone into 600 series military ECCNs. Most list-shifting satellites, spacecraft and related items go into four new 9X515 space ECCNs. Commerce has also adjusted other ECCNs for various reasons.

The majority of the new changes do not enter into force until November 10, 2014, although I will mention below some instances when certain aspects of the changes have a different effective.

The Waning Influence of Darth Vader: How Does the New Category XV Work?

To understand what happened, we need to look at the new Category XV to identify what has shifted and then at the EAR to see how it controls the shifted items.

“I’m Luke Skywalker. I’m here to rescue you.” Woops! I mean, “I’m John Reg-Whisperer. I am here to rescue (some of) you.”

The new Category XV uses many more detailed descriptions than its predecessor and generally controls fewer items. Most of the items that shift off of Category XV go to 9×515 ECCNs in the CCL. Importantly, some of the USML changes enter into force prior to the regular November 10, 2014 effective date. Integrated circuits formerly controlled by XV(d) and (e) shift to 9A515.d and 9A515.e effective June 27, 2014. The same June 27 effective date applies to 9D515 software and 9E515 technology related to those 9A515.d and .e integrated circuits.

Paragraph XV(a) controls “spacecraft, including satellites and vehicles,” regardless of whether they were designed or developed for research, military or commercial applications. Paragraphs (a)(1) – (a)(13) identify the functions and performance that Category XV uses to control spacecraft.

Paragraph XV(b) now is limited to ground controls systems and simulators specially designed for telemetry, tracking, and control of XV(a) items.

Paragraph XV(c) controls certain GPS-receiving equipment, which will move to Category XII when Category XII is revised.

Paragraph XV(d) no longer controls anything. It formerly controlled radiation-hardened integrated circuits. This change is effective on June 27, 2014. The earlier effective date means that these components will shift to 9A515.d before most of the other Category XV changes.

Paragraphs XV(e)(1) – (21) control specified parts, components, accessories, attachments, equipment or systems. Items not controlled here (or anywhere else in the USML) shift to the 9×515 ECCNs. An interesting aspect of XV(e) is that, in a few places, it says that EAR-controlled spacecraft with certain Category XV content remains EAR controlled-explicitly cancelling out the unwritten, arbitrary so-called ITAR see-through rule. More specifically, XV(e)(17) controls payloads that perform any of the functions in XV(a). Note 2 for XV(e)(17) explains that a spacecraft classified as ECCNs 9A004 of 9A515 keeps that classification even when incorporating a “hosted” payload performing a function in XV(a). (Note 1 to (e)(17) defines “hosted” and other types of payloads.) The, Note 2 to paragraph (e) says paragraph (e) items are subject to EAR controls when they are integrated into an EAR item.

An important aspect of the new XV(e) is that integrated circuits that otherwise would have been controlled by (e) are now 9A515.e, effective June 27, 2104.

Paragraph XV(f) controls technical data and defense services. Paragraph (f) has some non-standard controls on tech data that are worth noting. It clarifies that the scope of defense services may apply, for example, to activities related to EAR controlled spacecraft:

“Defense services include the furnishing of assistance (including training) in the integration of a satellite or spacecraft to a launch vehicle, including both planning and onsite support, regardless of the jurisdiction, ownership, or origin of the satellite or spacecraft, or whether technical data is used. It also includes the furnishing of assistance (including training) in the launch failure analysis of a satellite or spacecraft, regardless of the jurisdiction, ownership, or origin of the satellite of spacecraft, or whether technical data is used.”

Paragraph (f) also has a Note 1 that says that XV(f) does not control technical data related to XV(c) or XV(e) items when such items are integrated into an EAR-controlled satellite. Such data is 9E515. Note 2 says that certain activities and technical data are not subject to the ITAR or EAR: “Activities and technology/technical data directly related to or required for the spaceflight… passenger or participant experience, regardless of whether the passenger or participant experience is for space tourism, scientific or commercial research, commercial manufacturing/production activities, educational, media, or commercial transportation purposes…” This Note 2 appears to exclude from control information related to getting into the spacecraft, lifting weights in the spacecraft gym, using the bathroom and even cooking a steak while onboard, among other things.

Note 3 to paragraph (f) says that EAR99 is the classification for “housekeeping data,” which is “data transmitted to or from a satellite or spacecraft, whether real or simulated, when limited to information about the health, operational status, or function of, or measurements or raw sensor output from, the spacecraft, spacecraft payload(s), or their associated subsystems or components.”

Other ITAR Changes

To make clear that USML Category IV controls may apply when a non-ITAR satellite spacecraft is to be used with a Category IV launch vehicle, Category IV(i) now states:

“Defense services include the furnishing of assistance (including training) in the integration of a satellite or spacecraft to a launch vehicle, including both planning and onsite support, regardless of the jurisdiction, ownership, or origin of the satellite or spacecraft, or whether technical data is used. It also includes the furnishing of assistance (including training) in the launch failure analysis of a launch vehicle, regardless of the jurisdiction, ownership, or origin of the launch vehicle, or whether technical data is used.”

Finally, DDTC revised the ITAR 120.10 definition of technical data to clarify that telemetry data as defined in XV(f) is not technical data.

EAR Controls: “Help me EAR-Bi-Wan Kenobi. You’re my only hope.”

To some extent, many exporters got what they wanted; while DDTC did not shift all commercial satellites off the USML, less-sensitive satellites, spacecraft and related items are not controlled by the EAR and the EAR has 4 new space ECCNs (9A515, 9B515, 9D515 and 9E515) that join other existing ECCNs, such as 9A004, that control space-related items. At the end of the day, most items shifted continue to be fairly highly controlled.

Prior to this list shift, various ECCNs, such as 9A004 controlled items, were used in space. 9A004 is revised so that its paragraph .a controls the International Space Station (ISS) and its paragraph x. controls parts, components, accessories and attachments specially designed for the ISS.

The new 9×515 ECCNs, however, are the highlight of the EAR revisions. The 9×515 ECCNs generally are eligible for No License Required to Canada, have some License Exception STA availability for Country Group A:5 and require a license for everywhere else. The EAR does offer some flexibility to exporters and reexporters, as certain license exceptions, such as RPL, TMP, GOV, LVS, and AVS, are available in certain cases subject to limitation and restrictions similar to those that apply to 600 series items.

The EAR includes the various ITAR clarifications discussed above, such as the explicit limitations on the see-through rule for EAR items containing ITAR content, no controls on housekeeping data, passenger space flight information being classified as EAR99 and telemetry data not being controlled. The EAR also reflects the June 27, 2014 effective date for the shift of integrated circuits from Category XV(d) and (e) to 9A515.d and .e, respectively, so exporters may take advantage of these changes sooner than the other changes.

The new 9A515 is structured similarly to 600 series ECCNs and contains enumerated controls in paragraphs .a – .e and .y, and a catch all control in paragraph .x, catching specially designed items. 9A515.x, however, unlike most 600 series ECCNs, says that 9A515.x does not apply to specially designed items that are

–Microelectronic circuits: This means 9A515.x does not want to control integrated circuits that are not controlled by 9A515.d or .e. Look elsewhere in the CCL for those items.
–Described in certain named ECCNs and paragraphs: This means that if an item is described in one of the specified ECCNs and paragraphs, that ECCN controls the item, not 9A515.x.

9A515.y, which requires a license only for China, Cuba, Iran, North Korea, Sudan and Syria, only applies to items for which there is an interagency approved commodity classification (CCATS) that assigns 9A515.y as the classification.

[Confusion Warning: Because the 9A515.d and .e changes enter into force before the other 9A515 changes, the Federal Register notice actually changes 9A515 twice. The first change is to create 9A515.d and .e effective in June and the second change is to create the rest of 9A515 effective in November.]

Good News for Universities: Universities are eligible to take advantage of a new authorization in License Exception AVS 740.15(e) that authorizes the export of spacecraft and components for fundamental research purposes. AVS authorizes an accredited institution of higher learning to export items to another accredited institute of higher learning, a government research center or to a government funded research center in any country outside of Country Group D:5 and involving only non-D:5 nationals. This must occur in a fundamental research environment where all resulting technical data and information will be shared broadly and will be restricted for proprietary reasons.

Other Changes: In many respects, the new 9×515 space ECCNs are subject to many of the ITAR-lite or ITAR-like policies in the EAR that already apply to the 600 series military ECCNs. For example, the special rules applicable to 600 series ECCNs apply to 9×515 in these cases:

• 734.4 De minimis rule Limitations for Country Group D:5
• 740.2 Prohibitions on the use of license exceptions
• 744.21 Prohibition on export/reexport to China
• 758.1 and 758.2 AES filing requirements
• 758.6 Identify ECCN on the same documents requiring a Destination Control Statement

Action Items for the New ITAR and EAR Rules

Stormtrooper: Let me see your identification.
Obi-Wan Kenobi: [waves his hand] You don’t need to see his identification.
Stormtrooper: We don’t need to see his identification.
Obi-Wan Kenobi: These aren’t the droids you’re looking for.
Stormtrooper: These aren’t the droids we’re looking for.
Export Compliance Expert: These rules are complex.
EAR-Bi-Wan: [waves his hand]. These rules are easy to understand.
Export Compliance Expert: These rules are easy to understand.
EAR Bi-Wan: These changes and classifications will be easy to implement.
Export Compliance Expert: These changes and classifications will be easy to implement.

Feel better?

Unfortunately, while the force was helpful in the movie, I would not be looking for a miraculous force to come to your rescue, unless you consider the force to include the fact that you may continue to use ITAR licenses and approvals for these shifted items as you could for items in earlier ECR list shifts. Some spacecraft, satellites and related items have been freed from the ITAR dark side, but you still have to figure out exactly which of your items and technologies shifted off the USML to the CCL and how you will have to control the shifted items.

Instead of slaying storm troopers with your light saber, you need to get the Federal Register notices and read through them and study them. Those notices are at:

http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr27417

http://www.gpo.gov/fdsys/pkg/FR-2014-05-13/pdf/2014-10806.pdf

It might help to play the theme music from Star Wars as you grind through the new regs–it certainly will cause your co-workers to wonder about you (again). Or more appropriately, as you grind through the regs, you might want to hear that famous quote from Chewbacca:

http://soundbible.com/484-Chewbacca-Wookie-Noise.html

“May the Force be with you.”

IT Problems Slow DDTC Commodity Jurisdiction Responses

Wednesday, July 16th, 2014 by Brooke Driver

By: Brooke Driver

Even the government has to deal with IT problems, people. The State Department recently announced that those submitting Commodity Jurisdictions should be advised that, while the DDTC has not stopped accepting CJs for processing, there may be a delay in response due to “ongoing information technology assessments.” Here’s to hoping that “ongoing” doesn’t “go on” for long.

State Department Clarifies Recent Press Release Regarding Tokenization and Cloud Computing

Wednesday, July 16th, 2014 by Brooke Driver

By: Brooke Driver

The Department of State’s Directorate of Defense Trade Controls recently issued minor clarifications to the postings on the Perspecsys, Inc. website relating to an advisory opinion on the secure transfer of technical data via the internet. The advisory opinion is stated below:

“In accordance with [ITAR] § 125.4(b)(9), tokenization may be used to process controlled technical data using cloud computing applications without a license even if the cloud computing provider moved tokenized data to servers located outside the U.S., provided sufficient means are taken to ensure the technical data may only be received and used by U.S. persons who are employees of the U.S. government or are directly employed by a U.S. corporation and not by a foreign subsidiary throughout all phases of the transfer, including but not limited to transmission, storage, and receipt. Inclusions of transfers to foreign persons would require the appropriate authorization from the Directorate of Defense Trade Controls.”

“Additionally, in all cases the technical data must be sent by a U.S. person who is an employee of a U.S. corporation or a U.S. government agency. Transmission of classified information through this means if sent or taken outside of the United States must be accomplished in accordance with the requirements of the Department of Defense National Industrial Security Program Operating Manual.”

The DDTC claims that the advisory opinion is not intended to imply that “sufficient means” to accomplish the requisite assurance levels exist today technologically, nor that tokenization by itself could achieve that end. In addition, the DDTC insists that the advisory opinion states that the use of cloud computing applications (even through tokenization) is limited to receipt and use of unclassified technical data by U.S. entities; transfer to a foreign entity would require separate authorization.
Finally, the DDTC asks readers to remember that advisory opinions are released in response to individual submissions and particular to individual situations, and therefore should not be considered reliable guidance or precedence for the general audience.

BIS Issues Advisory Opinion Confirming that the EAR’s General Technology Note Applies to All ECCNs Controlling ‘Technology’

Friday, May 23rd, 2014 by Brooke Driver

By: D. Jacobson and M. Burton (Source: International Trade Law News, http://www.tradelawnews.com/)

On March 25, 2014 the U.S. Commerce Department’s Bureau of Industry and Security (BIS) issued an Advisory Opinion (reprinted below) clarifying that the General Technology Note (GTN) in Supplement No. 2 to Part 774, <http://www.bis.doc.gov/index.php/forms-documents/doc_download/750-774>, of the U.S. Export Administration Regulations (EAR) applies to all Export Control Classification Numbers (ECCNs) on the Commerce on Commerce Control List “regardless of whether the ECCN specifically refers to the GTN or uses the term ‘required.’”

The reason for this inquiry is that there has been some uncertainty regarding the scope of the GTN in the EAR. This is because the GTN is based on the Wassenaar Arrangement’s (WA) GTN, which applies to the WA’s Dual-Use List. The U.S. Commerce Control List (CCL), however, includes many more items than covered by the WA Dual-Use List, such as items controlled for missile technology reasons, chemical and biological reasons, as well as many U.S. unilateral controls. As a result of Export Control Reform the CCL also contains certain military-related parts and components under the new “600 series” and will soon control commercial space and satellite-related items under the “500 series”.

The related “technology” for an item included on the CCL is controlled under the corresponding “E” Group of the ECCN. In many cases involving items controlled by the WA, the corresponding “E” Group specifically mentions the GTN, such as ECCN 3E001 which covers “‘Technology’ according to the General Technology Note for the ‘development’ or ‘production’ of equipment or materials controlled by 3A . . . 3B . . . or 3C.” Many other “E” Group ECCNs do not refer to the GTN.

The BIS Advisory Opinion makes clear that, while the GTN is based on the WA List, the “EAR does not limit its definition of technology or the GTN to only those technologies controlled in the EAR pursuant to the WA” and “[t]herefore, the GTN and the EAR’s definition of “required” apply to all references to ”technology” in all the ECCNs on the CCL.”

This confirms BIS’s longstanding but heretofore unwritten policy that, regardless of CCL category, the term “required” “refers to only that portion of ‘technology’ or ‘software’ which is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions.” What this means from a practical perspective is that while the GTN applies to all ECCNs, not all technology related to a controlled item is necessarily “required” for its development, production, or use. Thus, careful analysis must be performed when classifying technology under the EAR.

 

 

Under the Wikileaks Radar: Blue Lantern End-Use Checks in Europe

Monday, March 31st, 2014 by Brooke Driver

By: Scott Gearity

When the Export Compliance Training Institute returns to London next month for its seminars on US Export Controls on Non-US Transactions, it seems likely that Julian Assange will still be holed up at Ecuador’s embassy to the UK, the WikiLeaks founder’s home since June 2012. ECTI can neither confirm nor deny that Mr. Assange will make an appearance at the Hilton London Kensington Hotel as a special guest speaker.

Whatever you may think of Mr. Assange’s work, or the allegations that have caused him to seek asylum, it is simply a reality that the leak of a quarter million U.S. Department of State cables beginning in 2010 put an enormous amount of information of interest into the public domain. Some of the contents of the leaked cables are well known – spying by U.S. diplomats to the United Nations, untactful criticism of foreign leaders, the ugly wheeling and dealing involved in attempting to get countries to resettle Guantanamo Bay detainees. But many of the cables relating to more obscure topics have escaped broad public notice.

It is fair to say that among these lesser-known communiqués are those detailing end-use checks conducted by U.S. embassy personnel as part of the Directorate of Defense Trade Controls’ Blue Lantern program. That is not to say that these checks are not a frequent subject to the leaked cables, fully 1,865 of which reference the program. Blue Lantern focuses on Direct Commercial Sales, and is one of two broad U.S. Government end-use monitoring programs. The other is the Department of Defense’s Golden Sentry program, which examines compliance with Foreign Military Sales agreements. (By the way, who names these things? Stan Lee?)

In fiscal year 2012, there were 820 Blue Lantern checks in 103 countries (a large increase from a few years earlier, when the number of checks consistently hovered around 500). The checks are not equally distributed around the world; 195 of the 820 checks initiated in FY2012 were in Europe. While 36 percent of license applications are for exports to Europe, only 24 percent of Blue Lantern cases occur there, reflecting a higher level of trust by the U.S. Government in the many European countries, which are either NATO members or otherwise allies with the U.S. In other words, Europe is the site of a disproportionately low number of end-use checks. But even this relatively small number means the U.S. conducts a Blue Lantern check in Europe almost every working day.

Here are a few of the more interesting selections from cables:

  • The investigations do not necessarily involve an on-site visit. For a check into Aviation Trading Co., Embassy London contacted the U.K. firm and inquired with multiple U.K. Government agencies to establish the firm’s bona fides, but no published cable indicates that an actual visit ever took place.
  • Unfavorable checks in Europe are uncommon but not unheard of. There are several cables to and from Embassy Madrid discussing unfavorable checks involving night vision goggles at Elint, S.A., including a description of an “egregious alteration of a U.S. Non-Transfer and Use Certificate (DSP-83).”
  • The Germans are skeptical of “ITAR-free” products, but want to be kept in the loop. At a 2009 meeting in Bonn, a Ministry of Defense official “expressed strong sentiments against European companies that market allegedly ‘ITAR-free’ defense articles, such as satellites, asserting that such efforts contribute to the deterioration of transatlantic ties and falsely deny the interdependency of European and American defense companies.” Only a year later, the Ministry of Foreign Affairs expressed concern to Embassy Berlin at the array of U.S. Government departments (Commerce, Defense and State) conducting end-use monitoring without notifying the German government.
  • Broker registrations get the Blue Lantern treatment, too. There are numerous cables recounting inquiries made by U.S. diplomats into foreign firms attempting to register with DDTC as brokers. In these cases, embassy personnel often describe their attempts to reach out to contacts in foreign trade and law enforcement to establish if there is any derogatory information about the prospective registrant. In one example from Embassy Copenhagen, ironically marked as “not for internet distribution,” the embassy political officer actually visited the home office of a Danish consultant.

All in all, it seems that as long as a European firm is abiding by the terms and any provisos of a State Department export license, it has little to fear from an end-use check.

Maryland Man Imprisoned for 8 Years for Participating in Conspiracy to Help Iran Launch First Satellite

Thursday, January 30th, 2014 by Brooke Driver

By: Brooke Driver

Nader Modanlo, a born Iraqi and naturalized U.S. citizen living in Potomac, Maryland, was recently sentenced to eight years in prison, three years of probation and a whopping $10,000,000 fine for violating the International Emergency Economic Powers Act, money laundering and obstructing bankruptcy proceedings. A number of government agencies were involved in constructing the case against Modanlo, including U.S. Immigration and Customs Enforcement’s Homeland Security Investigations, the Internal Revenue Service’s Criminal Investigation and the Defense Criminal Investigative Service.

The 53-year-old took part in a complex conspiracy (that took place between the years of 2000 and 2007) to illegally provide satellite related services to Iran. According to the evidence presented at trial, Modanlo used his expertise as a mechanical engineer and his background in finance and strategic policy as they relate to space-based telecommunications to facilitate the creation and launch of Iran’s first satellite.

In 1994, as the principal owner and president of Final Analysis, Inc., Modanlo began a working relationship with POLYOT, an aerospace company owned by the Russian government. Between the years 1995 and 2000, Final Analysis provided POLYOT with telecommunication satellites. Modanlo filed for and received the required licenses for these transactions.

However, in 2001, after Final Analysis was forced into bankruptcy, Modanlo founded New York Satellites Industries, running the company out of his own home. While working for Final Analysis, Modanlo began his illegal contract with POLYOT to construct and launch a remote sensing and telecommunications satellite for Iran, an agreement he honored under the name of his new company. Knowing that direct financial transactions would be difficult due to the sanction against the country, Modanlo and a number of other interested parties, including a former Iranian ambassador, met in Switzerland to discuss the details of the launch and the money exchange. To solve the problem, they formed a fake company called Prospect Telecom and opened a Swiss bank account under that name. Investors transferred funds to this account for the project, including $10,000,000 that was almost immediately sent to Modanlo’s New York Satellite Industries bank account as payment for his help in the launch, which took place October 2005. In the two years following the launch, Modanlo made false statements and withheld information regarding the ownership and aim of Prospect Telecom in bankruptcy proceedings.

Wassenaar Arrangement Modifies Controls on Electronic Surveillance Tools

Thursday, January 30th, 2014 by Brooke Driver

By: Brooke Driver

At its annual plenary meeting in Austria December 3-4, 2013, the Wassenaar Arrangement, a group of 41 countries including the U.S., Russia, the U.K. and most E.U. states, focused on export controls for conventional arms and dual-use goods and technology, agreed on new harsher export controls on cybersecurity technologies, recognizing their great potential for terrorism. Each participating country must now implement these changed policies, one major area of which is surveillance and intelligence gathering tools, including malware and rootkits, which governments can use to bypass security features on electronic devices in order to attain supposedly protected data. Internet protocol network surveillance systems or equipment are also now subject to revised export controls, which include technologies used to screen for malware, viruses and surveillance programs. These technologies are subject to new controls, because representatives of the 41 countries believed that they could be used to both block cyber attacks and grant foreign persons dangerous insight into Western screening systems, increasing the potential for hacks. The agreement also places stricter controls on intelligence gathering technologies that analyze individuals’ or groups’ relational networks and activities, although there will be exceptions for companies using such software for marketing or consumer-monitoring purposes.

Click here for details of these changes and others decided upon at this year’s Wassenaar plenary meeting: http://www.wassenaar.org/controllists/2013/Summary%20of%20Changes%20to%20Control%20Lists%202013.pdf