Question: Is there any reason that our company can’t use a cloud storage service provider, such as Dropbox, Google Drive, Box, or Microsoft Office 365, to store and share export-controlled information and technical data? Most businesses are using the cloud these days. Are there any problems with this?
The simple answer is, Yes, there are problems. Serious ones. Uploading your ITAR-controlled technical data, or controlled technology subject to the EAR, to “the Cloud” while maintaining full compliance with U.S. export laws and regulations is very challenging, and carries with it a high risk of violations and penalties. As we’ll be explaining on this blog, regulatory changes appear to be on the way. In the not-too-distant future, U.S. companies may be able to use cloud computing and other online digital services, subject to certain encryption requirements, to transfer and store their unclassified technical data without the need to obtain licenses or other authorizations. Hope is on the horizon. At present, however—yes, there are problems.
Even though cloud computing is a rapidly advancing technology at present, with more and more businesses routinely using Dropbox, Google Drive, and similar online services, this has been—and still is—a confusing regulatory area for which State and Commerce have provided very limited guidance until recently. We’re glad that appears to be changing now.
Nevertheless—even after the long-awaited publication of new Proposed Rules by the DDTC and BIS on June 3 containing multiple clarifications and definitions, and even after the issuance of an interim rule by the DoD on August 26 addressing requirements for cloud computing services—it is still far from clear how exporters can be certain they are fully compliant with the EAR and ITAR and avoid inadvertent violations when uploading controlled data to the cloud. A storm of controversy continues to swirl around the subject of cloud computing, IT security, and export controls. Discussions between the defense industry, research universities, the legal community, and the regulatory agencies are intense and ongoing.
Until the dust settles on this, we recommend extreme caution in using any commercial cloud storage service for information storage and transmission when export controls apply. Without clear regulatory guidance, contracting with a third-party for transferring and storing your ITAR-controlled and EAR-controlled data and technology electronically may expose you and your organization to the risk of violating U.S. export laws, with severe penalties and consequences.
But my cloud service provider assures me that my data is absolutely secure—so secure that they themselves have no way to decrypt my files without my password, even if I asked them to.
Yes, Dropbox, Google Drive, Microsoft Office 365, and similar services offer a secure and convenient online environment for storing and sharing documents, and are widely used and trusted in industry for work collaboration, file sharing, and data maintenance. And it is true that they typically provide multiple security precautions, including using SSL for transmitting content and their own separate layer of AES-256 bit encryption server-side.
Nevertheless, even though these IT companies have strict internal security policies limiting access by their employees to their customers’ files, it is evident in many cases that user-data files stored on their servers are in principle accessible by their staff—which may include individuals who are not U.S. persons as defined by the ITAR.
The convenience, economy, and popularity of online services notwithstanding, the use of third-party providers for storing and sharing ITAR-controlled technical data remains problematic. Why?
Here’s one reason: U.S. export control regulations prohibit the unauthorized sharing of controlled technical data with non-U.S persons or foreign nationals, and also prohibit transactions with certain foreign individuals and states. This prohibition includes any form of sharing, including electronic “transmission,” and including even theoretical access to such data by IT administrators or employees who maintain the electronic data storage and transmission systems and who could potentially monitor them. Whenever you store or transmit controlled technical data via non-company servers, you are, in effect, sending your data through cyberspace on the back of a virtual postcard, and you are liable for any access to that data by unlicensed foreign nationals while it is in storage or transit—even if the access is unintentional, and even if you were not aware that the access was occurring.
Remember that commercial cloud computing and online data storage services are not U.S. defense firms; they are unlikely to have segregated systems to protect ITAR-controlled information from foreign-person access. Under the export regulations currently in effect—ignoring, for the moment, proposed revisions to the EAR and ITAR that are under consideration but haven’t been finalized—even high-level encryption is not an adequate security measure for protecting your company’s controlled technical data on non-company servers. Currently, transfer of the data to a server or network location outside the U.S. constitutes an “export” even if the data is encrypted. Furthermore, providing employees who are not U.S. persons, whether they are employed in the U.S. or at non-U.S. offices, with the ability to access ITAR-controlled data (even if they don’t actually access the data) may constitute an “export,” even if the data is protected by encryption.
Here’s another reason: using external providers of cloud storage and file-sharing services, such as Dropbox, Box, or Google Drive, for ITAR-restricted data is problematic because it is difficult or impossible to know where their servers are physically located (that is, whether they are in the U.S. or overseas), how they route data traffic (particularly during peak hours or off-times), or whether their security procedures are truly adequate all along the line to prohibit access to your data by foreign nationals. Most—if not all—cloud computing services routinely use a network of servers that extends beyond U.S. borders. In reality, you have no idea where your data is currently stored—and wherever that may be, it could change tomorrow. Yet any transfer of data from the user to a server outside the U.S., as well as any transfer of the controlled data between two foreign-located servers, constitutes a “transmission,” and thus an unauthorized export, according to current U.S. laws.
But didn’t all that change this year? I read in the news that BIS and DDTC have relaxed their rules now, in recognition of the growing popularity of cloud computing, and that the export regulations have been amended to permit cloud storage of ITAR and EAR data in certain circumstances. Did I hear you right? Are you telling me that’s not true?
You heard me right. That’s not true. Those amendments to the ITAR and the EAR you heard about have not been made—at least, not yet. Here’s what is true:
On June 3, 2015, both the Commerce Department and State Department published long-awaited proposals for revising the EAR and ITAR in order to provide security standards for the transmission and storage of ITAR- and EAR-controlled data and information. If these Proposed Rules are adopted and finalized, they could well represent an important step towards clarifying what exporters need to do in order to comply with U.S. export controls with regard to the transmission, storage, and “cloud” processing of export-controlled technical data, technology, and software.
Among other things, if the revisions proposed on June 3 are eventually adopted and published as final rules, transmitting or storing electronic data in a way that meets certain specified security standards will no longer constitute an “export” of the data, and therefore will not require a prior export authorization or be subject to some other restrictions. Specifically, the June 3 proposals from State and Commerce both say that sending, taking, or storing technical data, technology, or software will not be considered an export when the following conditions are met:
(1) The data must be unclassified;
(2) The data must be secured using “end-to-end encryption” (as defined in the proposed new rule);
(3) The data must be secured using cryptographic modules compliant with a certain encryption standard—FIPS 140–2, or its successors [in stating this condition, the BIS proposal adds the phrase “or other similar cryptographic means,” whereas the DDTC doesn’t wish to add that phrase]; and
(4) The data must not be stored in certain prohibited countries [for the BIS, this means the server locations can’t be in countries listed in Country Group D:5 (see Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation; for the DDTC, this means no data should be stored on servers situated in ITAR Section 126.1 Proscribed Countries or in the Russian Federation].
At first glance, these proposed changes look very hopeful. By providing clarity and legal certainty in this regulatory area, they promise to simplify the compliance process greatly. If implemented, these provisions could offer U.S. companies the option of using the new cloud technologies for transmitting and storing export-controlled data without the risk of export violations, as long they exercise due diligence to ensure that those data security requirements are met.
On closer examination, however, there are some notable caveats in these Proposed Rules:
(1) Both proposals make it clear that if information should be “released” that permits foreign persons to access your encrypted controlled data (e.g., decryption keys, network access codes, passwords, etc.), then this data transmission or storage will be considered an export, and will be subject to all applicable licensing requirements and restrictions—and penalties for export violations.
(2) To qualify for this exclusion, your transmission or storage must utilize “end-to-end encryption.” In both the State and Commerce proposals, this means that cryptographic protection of the export-controlled data must be continuous and uninterrupted between the originator and the intended recipient (who could be the originator himself, in the case of simple file storage or archiving). At no point in the process can access in unencrypted form be given to any third parties. That includes internet service providers (ISPs), application providers (such as Microsoft Office 360 or Google Office), or cloud storage providers (such as Dropbox or Box), or any other online services.
(Note: BIS and DDTC are insisting on this condition because they are have found that the methods and procedures currently used by third-party digital service providers, including popular cloud software providers and some e-mail services may allow the data transmitted to be encrypted and decrypted multiple times before it reaches its intended recipient. BIS and DDTC both believe this presents an unacceptable risk of unauthorized release. Keeping the data encrypted from start to finish is the simplest and surest way to minimize the possibility that a foreign cloud service provider or a non-U.S. person employee of a domestic cloud service provider will get access to your ITAR-controlled data or EAR-controlled technology or software in unencrypted form.)
(3) To qualify for this exclusion, your export-controlled data cannot be stored on, or pass through, any servers in certain specified countries that pose significant national security risks, including the Russian Federation.
On the whole, the provisions in the June 3 Proposed Rules allowing the transfer and storage of properly encrypted technical data are good news for U.S. exporters and should be welcomed. These changes would allow controlled technical data originating in the U.S. to be stored in one or more countries outside of the United States without export licensing, provided the data has been properly encrypted and isn’t stored in arms-embargoed countries or Russia. The proposed security requirements are strict and would almost certainly create complications for the current business model of most cloud storage providers, forcing them to make some changes in the way they operate if they want to serve customers with EAR- and ITAR-compliance requirements. But the requisite changes would appear to be within their capabilities, and the potential benefits of the new rules—which include, among other things, considerably reduced administrative burdens for U.S. manufacturers and suppliers of defense articles and services— are great.
Remember, however, that until State and Commerce have finalized their proposed amendments, the current regulations remain in effect. Until they have been changed, we recommend using locally hosted applications for storing and sharing sensitive technical data. The pundits may well be right when they tell us that the future of data storage is in the cloud, but for now, if your data is export-controlled, the safest place for it is in-house.
There are other important regulatory changes in the works with the potential to impact cloud computing, IT security, and export controls. Next week we’ll look at a few of them. Sign up today for notifications of future posts—and join the discussion by sending your own questions about export compliance to “An EAR . . . to the ITAR.”
(None of the information is intended to be authoritative official or professional legal advice. Consult your own legal counsel or compliance specialists before taking actions based upon this blog or other unofficial sources.)