Monthly Archives: October 2015

Export-Controlled Data – Store It in the Cloud or Keep It Down Home?

Question: Is there any reason that our company can’t use a cloud storage service provider, such as Dropbox, Google Drive, Box, or Microsoft Office 365, to store and share export-controlled information and technical data? Most businesses are using the cloud these days. Are there any problems with this?

The simple answer is, Yes, there are problems. Serious ones. Uploading your ITAR-controlled technical data, or controlled technology subject to the EAR, to “the Cloud” while maintaining full compliance with U.S. export laws and regulations is very challenging, and carries with it a high risk of violations and penalties. As we’ll be explaining on this blog, regulatory changes appear to be on the way. In the not-too-distant future, U.S. companies may be able to use cloud computing and other online digital services, subject to certain encryption requirements, to transfer and store their unclassified technical data without the need to obtain licenses or other authorizations. Hope is on the horizon. At present, however—yes, there are problems.

Even though cloud computing is a rapidly advancing technology at present, with more and more businesses routinely using Dropbox, Google Drive, and similar online services, this has been—and still is—a confusing regulatory area for which State and Commerce have provided very limited guidance until recently. We’re glad that appears to be changing now.

Nevertheless—even after the long-awaited publication of new Proposed Rules by the DDTC and BIS on June 3 containing multiple clarifications and definitions, and even after the issuance of an interim rule by the DoD on August 26 addressing requirements for cloud computing services—it is still far from clear how exporters can be certain they are fully compliant with the EAR and ITAR and avoid inadvertent violations when uploading controlled data to the cloud. A storm of controversy continues to swirl around the subject of cloud computing, IT security, and export controls. Discussions between the defense industry, research universities, the legal community, and the regulatory agencies are intense and ongoing.

Until the dust settles on this, we recommend extreme caution in using any commercial cloud storage service for information storage and transmission when export controls apply. Without clear regulatory guidance, contracting with a third-party for transferring and storing your ITAR-controlled and EAR-controlled data and technology electronically may expose you and your organization to the risk of violating U.S. export laws, with severe penalties and consequences.

But my cloud service provider assures me that my data is absolutely secure—so secure that they themselves have no way to decrypt my files without my password, even if I asked them to.

Yes, Dropbox, Google Drive, Microsoft Office 365, and similar services offer a secure and convenient online environment for storing and sharing documents, and are widely used and trusted in industry for work collaboration, file sharing, and data maintenance. And it is true that they typically provide multiple security precautions, including using SSL for transmitting content and their own separate layer of AES-256 bit encryption server-side.

Nevertheless, even though these IT companies have strict internal security policies limiting access by their employees to their customers’ files, it is evident in many cases that user-data files stored on their servers are in principle accessible by their staff—which may include individuals who are not U.S. persons as defined by the ITAR.

Read the terms of your storage provider’s user agreement and privacy policy carefully. Those legal documents frequently include such warnings as the following: “If we are required to provide your files to a court or law enforcement agency, which we may do under the conditions set forth above, we will remove the encryption from the files before providing them to the authorized government officials.” You’ll also see various disclaimers of responsibility in case of data-security breaches, and statements indicating that the provider has a process in place for contingencies when their system is compromised. Some cloud storage providers claim in their promotional materials that your data is absolutely secure, but remember that what they advertise and what you agree to when you open an account are two different things.

The convenience, economy, and popularity of online services notwithstanding, the use of third-party providers for storing and sharing ITAR-controlled technical data remains problematic. Why?

Here’s one reason: U.S. export control regulations prohibit the unauthorized sharing of controlled technical data with non-U.S persons or foreign nationals, and also prohibit transactions with certain foreign individuals and states. This prohibition includes any form of sharing, including electronic “transmission,” and including even theoretical access to such data by IT administrators or employees who maintain the electronic data storage and transmission systems and who could potentially monitor them. Whenever you store or transmit controlled technical data via non-company servers, you are, in effect, sending your data through cyberspace on the back of a virtual postcard, and you are liable for any access to that data by unlicensed foreign nationals while it is in storage or transit—even if the access is unintentional, and even if you were not aware that the access was occurring.

Remember that commercial cloud computing and online data storage services are not U.S. defense firms; they are unlikely to have segregated systems to protect ITAR-controlled information from foreign-person access. Under the export regulations currently in effect—ignoring, for the moment, proposed revisions to the EAR and ITAR that are under consideration but haven’t been finalized—even high-level encryption is not an adequate security measure for protecting your company’s controlled technical data on non-company servers. Currently, transfer of the data to a server or network location outside the U.S. constitutes an “export” even if the data is encrypted. Furthermore, providing employees who are not U.S. persons, whether they are employed in the U.S. or at non-U.S. offices, with the ability to access ITAR-controlled data (even if they don’t actually access the data) may constitute an “export,” even if the data is protected by encryption.

Here’s another reason: using external providers of cloud storage and file-sharing services, such as Dropbox, Box, or Google Drive, for ITAR-restricted data is problematic because it is difficult or impossible to know where their servers are physically located (that is, whether they are in the U.S. or overseas), how they route data traffic (particularly during peak hours or off-times), or whether their security procedures are truly adequate all along the line to prohibit access to your data by foreign nationals. Most—if not all—cloud computing services routinely use a network of servers that extends beyond U.S. borders. In reality, you have no idea where your data is currently stored—and wherever that may be, it could change tomorrow. Yet any transfer of data from the user to a server outside the U.S., as well as any transfer of the controlled data between two foreign-located servers, constitutes a “transmission,” and thus an unauthorized export, according to current U.S. laws.

But didn’t all that change this year? I read in the news that BIS and DDTC have relaxed their rules now, in recognition of the growing popularity of cloud computing, and that the export regulations have been amended to permit cloud storage of ITAR and EAR data in certain circumstances. Did I hear you right? Are you telling me that’s not true?

You heard me right. That’s not true. Those amendments to the ITAR and the EAR you heard about have not been made—at least, not yet. Here’s what is true:

On June 3, 2015, both the Commerce Department and State Department published long-awaited proposals for revising the EAR and ITAR in order to provide security standards for the transmission and storage of ITAR- and EAR-controlled data and information. If these Proposed Rules are adopted and finalized, they could well represent an important step towards clarifying what exporters need to do in order to comply with U.S. export controls with regard to the transmission, storage, and “cloud” processing of export-controlled technical data, technology, and software.

Among other things, if the revisions proposed on June 3 are eventually adopted and published as final rules, transmitting or storing electronic data in a way that meets certain specified security standards will no longer constitute an “export” of the data, and therefore will not require a prior export authorization or be subject to some other restrictions. Specifically, the June 3 proposals from State and Commerce both say that sending, taking, or storing technical data, technology, or software will not be considered an export when the following conditions are met:

(1) The data must be unclassified;

(2) The data must be secured using “end-to-end encryption” (as defined in the proposed new rule);

(3) The data must be secured using cryptographic modules compliant with a certain encryption standard—FIPS 140–2, or its successors [in stating this condition, the BIS proposal adds the phrase “or other similar cryptographic means,” whereas the DDTC doesn’t wish to add that phrase]; and

(4) The data must not be stored in certain prohibited countries [for the BIS, this means the server locations can’t be in countries listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation; for the DDTC, this means no data should be stored on servers situated in ITAR Section 126.1 Proscribed Countries or in the Russian Federation].

At first glance, these proposed changes look very hopeful. By providing clarity and legal certainty in this regulatory area, they promise to simplify the compliance process greatly. If implemented, these provisions could offer U.S. companies the option of using the new cloud technologies for transmitting and storing export-controlled data without the risk of export violations, as long they exercise due diligence to ensure that those data security requirements are met.

On closer examination, however, there are some notable caveats in these Proposed Rules:

(1)        Both proposals make it clear that if information should be “released” that permits foreign persons to access your encrypted controlled data (e.g., decryption keys, network access codes, passwords, etc.), then this data transmission or storage will be considered an export, and will be subject to all applicable licensing requirements and restrictions—and penalties for export violations.

(2)        To qualify for this exclusion, your transmission or storage must utilize “end-to-end encryption.” In both the State and Commerce proposals, this means that cryptographic protection of the export-controlled data must be continuous and uninterrupted between the originator and the intended recipient (who could be the originator himself, in the case of simple file storage or archiving). At no point in the process can access in unencrypted form be given to any third parties. That includes internet service providers (ISPs), application providers (such as Microsoft Office 360 or Google Office), or cloud storage providers (such as Dropbox or Box), or any other online services.

(Note: BIS and DDTC are insisting on this condition because they are have found that the methods and procedures currently used by third-party digital service providers, including popular cloud software providers and some e-mail services may allow the data transmitted to be encrypted and decrypted multiple times before it reaches its intended recipient. BIS and DDTC both believe this presents an unacceptable risk of unauthorized release. Keeping the data encrypted from start to finish is the simplest and surest way to minimize the possibility that a foreign cloud service provider or a non-U.S. person employee of a domestic cloud service provider will get access to your ITAR-controlled data or EAR-controlled technology or software in unencrypted form.)

(3)        To qualify for this exclusion, your export-controlled data cannot be stored on, or pass through, any servers in certain specified countries that pose significant national security risks, including the Russian Federation.

On the whole, the provisions in the June 3 Proposed Rules allowing the transfer and storage of properly encrypted technical data are good news for U.S. exporters and should be welcomed. These changes would allow controlled technical data originating in the U.S. to be stored in one or more countries outside of the United States without export licensing, provided the data has been properly encrypted and isn’t stored in arms-embargoed countries or Russia. The proposed security requirements are strict and would almost certainly create complications for the current business model of most cloud storage providers, forcing them to make some changes in the way they operate if they want to serve customers with EAR- and ITAR-compliance requirements. But the requisite changes would appear to be within their capabilities, and the potential benefits of the new rules—which include, among other things, considerably reduced administrative burdens for U.S. manufacturers and suppliers of defense articles and services— are great.

Remember, however, that until State and Commerce have finalized their proposed amendments, the current regulations remain in effect. Until they have been changed, we recommend using locally hosted applications for storing and sharing sensitive technical data. The pundits may well be right when they tell us that the future of data storage is in the cloud, but for now, if your data is export-controlled, the safest place for it is in-house.

There are other important regulatory changes in the works with the potential to impact cloud computing, IT security, and export controls. Next week we’ll look at a few of them. Sign up today for notifications of future posts—and join the discussion by sending your own questions about export compliance to “An EAR . . . to the ITAR.”

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)

Oops! I made a mistake… Can I amend a BIS-748P?

Question: I know what to do if it becomes necessary to amend a State/DDTC authorization for exports under the ITAR. But what if I need to make a change to a Commerce/BIS export license? Can I even do that?

The short answer to your question is, Yes, you can – but there’s a very good chance you won’t need to.

Here’s the skinny on correcting a BIS-748P application form or modifying a previously approved export license through the Commerce Department’s SNAP-R system:

You’ve determined that your export falls under the jurisdiction of Commerce and that the transaction requires a license from BIS. You’ve done your research, put together all the information and documentation you need, and have just successfully submitted a SNAP-R BIS-748P license application online. Not long afterwards, before you have even finished congratulating yourself on another job well done, you suddenly realize—to your embarrassment and disgust—that you entered some incorrect information in one of the data fields in your submission, or that you completely forgot to attach the required documents. You quickly log on again to your SNAP-R account and hunt around frantically for an “Undo” or “Recall” button, but fail to find one. Zero, zilch, zip, nada, nothing. What are you supposed to do? Visions of denied licenses, lost time, angry customers, and potential export violations swim before your eyes. Is this going to be a big problem?

Not to worry. Rest assured that you aren’t the first exporter to mess up a license application form. While it’s true that there isn’t any way to undo or recall your Form BIS-748P online once it’s been submitted, all you need to do is phone the BIS’s Office of Export Services and let them know about the mistake. The licensing officer will then simply mark your application “Returned Without Action” (RWA), which means in essence that your application has been rejected, but without any prejudice to future resubmissions. Once that’s done, you can breathe a sigh of relief, copy your original application, fix the mistakes or omissions, and re-submit it to BIS—correctly, this time!—through SNAP-R. Or, if your only mistake was failing to attach the documentation, the licensing officer will just send you an e-mail requesting those documents, to which you can reply directly and rectify the omission.

But what if your export license has already been approved by Commerce, but now you realize you’re going to have to modify it because some things have changed since then? What should you do?

Well, the good news is that you might not have to do anything at all, if:

(1) your modifications are considered “non-material changes,” according to the detailed description in EAR Section 750.7(c);


(2) your modifications are covered by the “shipping tolerances” provision of EAR Section 750.11.

The list of “non-material changes” includes such alterations as a change in unit price or total value, a change in intermediate consignee (if the new intermediate consignee is located in the country of ultimate destination), and a change in the address of purchaser or ultimate consignee (if the new address is located within the same country shown on the license). For the details, read through §750.7(c) carefully; there’s a very good chance you’ll find your change listed there. (And, while you’re doing that, take a couple of minutes more to familiarize yourself with the shipping tolerance exceptions in §750.11 as well; it’s practical knowledge that may prove handy!)

7507 75011 change_to_license

Even in the case of a minor change to your company’s name—assuming that the name change is not the result of a change of ownership, a merger, or an acquisition—you may find that all you really need to do is have the administrator for your SNAP-R account update the name online in the Administration Module. A word of caution, though: a company’s name change may or may not be considered a “non-material change” by the BIS; you’ll need to write to them on company letterhead and request an Advisory Opinion about that before proceeding.

Finally, what if you’ve carefully scrutinized Section 750.7(c) of the EAR and determined that the modification you need to make is unfortunately not among numerous exceptions designated there as “non-material changes”? If that is the case — assuming that you are still shipping the identical items to the identical ultimate consignee — you will need to notify BIS of the change, and it’s up to them to approve or not approve the modification.

You’ll be glad to know that you can deal with this situation online by applying for a “Replacement License” number from BIS. Simply make your request via a SNAP-R Form BIS-748P, using Block 11, “Replacement License Number,” stating concisely what change you are making to the original export license.

In the event that BIS does not approve your “Replacement License” request—they will give you their response in writing— a new export license application will need to be submitted, and approved by BIS, before you can make any further shipments.

easy_stSound easier than you thought it would be? Well, many companies who have entered the regulatory jurisdiction of BIS for the first time recently, thanks to the Export Control Reform Initiative (ECR), have said they were surprised and relieved to discover that Commerce’s controls and licensing regime are often simpler and less restrictive than State’s. Export Licensing Officers have generally found Commerce’s SNAP-R electronic application portal to be more user-friendly than the State Department’s D-Trade system.

There are other significant differences between the two export regimes as well. For example, you do not need to “return” your Commerce export license to BIS once it is no longer valid, as you are required to do with a DSP license from State/DDTC after expiration or exhaustion when it has not been decremented entirely electronically through AES. In future posts, we’ll be spotlighting some other similarities and differences between EAR and ITAR licensing, in addition to providing you with practical information you’ll need when applying for and using Commerce licenses for “600 series” items, which were formerly subject to the ITAR.

Even though the BIS application process is simpler in many ways, be aware that Commerce export licenses typically have more conditions attached than State/DDTC licenses or agreements. And remember this, too: whether you’re exporting your product under a Commerce or a State export license, you and your company are responsible and legally accountable to stay within authorized scope of the export authorization and strictly observe all its provisos and conditions.

penaltyCommerce and State have been increasingly active in export enforcement lately. Civil and criminal penalties for export violations in recent cases have been extremely heavy. Even “minor” export violations of the ITAR and EAR can have very serious consequences for companies and individuals.

Achieving and maintaining corporate ITAR and EAR compliance can be a daunting challenge for U.S. exporters, but we’re here to help. Export Compliance Solutions (ECS) has built a distinguished record based on many years of experience in the field of U.S. export controls. As the nation’s premier export compliance consultants and educators, we offer a wide variety of training, auditing, and advisory services, including live regional and on-site seminars, webinars, export compliance awareness video courses for employees, and other products to support our clients. Give us a call or send us an e-mail today. The ITAR and EAR compliance experts at ECS can help you successfully navigate the sometimes rough regulatory seas of U.S. export controls.

(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)