Rule Change to Ease Export Controls in the Cloud

Good news: New amendments to U.S. export control regulations are on the horizon that could ease licensing requirements when storing or transmitting technical data or software in the cloud—although, naturally, the regulations come with a catch.

In June the State Department’s Directorate of Defense Trade Controls and the Department of Commerce’s Bureau of Industry and Security published proposed rules amending yet more acronyms, the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). Overall, the proposed changes are designed to “facilitate compliance with export controls, update the controls, and reduce unnecessary regulatory burdens on U.S. exporters,” the BIS rule stated.

U.S. export control laws apply not only to the shipment of physical products out of the United States; they apply to the technology and software necessary for the development, production, or use of those products, too. That means every time controlled technology or software is transmitted through the cloud outside the United States to a foreign country, the government deems it an export, potentially subjecting companies to violations of U.S. export laws.

“One of the biggest challenges for U.S. companies is determining where the servers are located that will be storing their data,” says Cheryl Palmeri, with law firm Bass Berry & Sims. That’s a big problem, because if servers are located in countries subject to U.S. export restrictions, the cloud users themselves could be considered in violation of U.S. export rules.

In some cases, “defense manufacturers have tried to negotiate outsourcing arrangements for storage of data, and because servers were located in countries outside the United States, they simply had to cancel the deals,” says Christopher Wall, senior international trade partner with law firm Pillsbury.

The DDTC and BIS proposed rules would go a long way to ease those compliance burdens by changing the definition of “export” to allow companies to store information in the cloud in servers located in foreign countries, as long as the technical data or software is encrypted to prevent access by foreign persons. If approved in their current form, the new rules “could make export control compliance easier,” Palmeri says.

Comments on the proposals are due by Aug. 3.

“If approved in their current form, the new rules would make some of this compliance a lot easier in terms of export controls.”
Cheryl Palmeri, Associate, Bass Berry & Sims

“For defense articles, that makes a huge difference,” Wall says. “It means that large defense companies like Lockheed Martin and Boeing that have technical data subject to ITAR controls can now use cloud storage services outside the United States. That’s a big change.”

Both the DDTC and BIS proposed rules spell out similar circumstances where “sending, taking, or storing” technical data or software would not be considered an export. Specifically, technical data under ITAR, technology under EAR, and software must be unclassified and secured using end-to-end encryption. As explained by the BIS proposed rules, encrypting data “involves encrypting data by the originating party and keeping that data encrypted except by the intended recipient.”

In that respect, the proposed rules don’t eliminate compliance obligations altogether. Instead, changing the definition of “export” in the context of cloud computing would shift the compliance emphasis from identifying the location of servers to ensuring that appropriate encryption safeguards are in place, Wall says.

One important difference between the DDTC and BIS proposed rules is that DDTC strictly requires that encryption standards be certified by the National Institute for Standards and Technology in compliance with federal cryptographic standards. The DDTC further would require that encryption be “supplemented by software implementation, cryptographic key management, and other procedures and controls” in accordance with guidance provided by current NIST publications.

ENCRYPTED EXPORTS

Below the Department of Commerce’s Bureau of Industry and Security’s proposed rule describes the definition of an encrypted technology or software “export” in the cloud.
Paragraph (a)(4) establishes a specific carve-out from the definition of “export” the transfer of technology and software that is encrypted in a manner described in the proposed section. Encrypted information—i.e., information that is not in “clear text”—is not readable, and is therefore useless to unauthorized parties unless and until it is decrypted. As a result, its transfer in encrypted form consistent with the requirements of paragraph (a)(4) poses no threat to national security or other reasons for control and does not constitute an ‘‘actual’’ transmission of “technology” or “software.” Currently, neither the EAR nor the ITAR makes any distinction between encrypted and unencrypted transfers of technology or software for control or definitional purposes. This section specifies the conditions under which this part of the definition would apply. An important requirement is that the technology or software been encrypted “end-to-end,” a phrase that is defined in paragraph (b). The intent of this requirement is that relevant technology or software is encrypted by the originator and remains encrypted (and thus not readable) until it is decrypted by its intended recipient. Such technology or software would remain encrypted at every point intrans it or in storage after it was encrypted by the originator until it was decrypted by the recipient.
BIS understands that end-to-end encryption is not used in all commercial situations, particularly when encryption is provided by third party digital service providers such as cloud SaaS (software as a service) providers and some email services. However, in many such situations, technology or software may be encrypted and decrypted many times before it is finally decrypted and read by the intended recipient. At these points, it is in clear text and is vulnerable to unauthorized release. BIS considered this an unacceptable risk and therefore specified the use of end-to-end encryption as part of the proposed definition. A key requirement of the end-to-end provision is to ensure that no non-US national employee of a domestic cloud service provider or foreign digital third party or cloud service provider can get access to controlled technology or software in unencrypted form.
Source: BIS Proposed Rule.

In contrast, the BIS proposed rule states that “alternative approaches are allowable provided that they work. In such cases, the exporter is responsible for ensuring that they work.”

“It’s basically saying, ‘Buyer beware’,” says John Eustice, a member with law firm Miller & Chevalier. “If you’re going to use encryption outside the [NIST] standard, it better work is what they’re saying.”

Another way that companies can violate U.S. export laws under the proposed rules is if a foreign person—whether a foreign employee here in the United States, or a foreign person abroad—gains access to controlled data in the cloud. So it’s important to “screen whomever you’re doing business with to ensure they’re not located in a prohibited country and are not a prohibited party,” Palmeri says.

Specifically, the DDTC and BIS proposed rules state that sending or releasing encrypted data (cryptographic keys, passwords, network access codes, and the like) would trigger an export control violation. What the rules don’t discuss is standards for password security, “which is kind of like closing the back door but leaving the front door wide open,” Eustice says—since most big hacks result from password breaches.

It’s also important that companies pay attention to the storage restrictions laid out in the proposed rules, says Alexandra López-Casero, a partner with law firm Nixon Peabody. For example, the proposed rules prohibit companies from storing controlled technical data in certain restricted countries: China, Iran, the Russian Federation, for example.

That means cloud users need to get that certification from the cloud service provider. “Having seen some of these contracts, some of them are ridiculously simplified, and they need to cover a little more area,” Eustice says.

“It’s important to know not only where your data will be stored, but also where it will transit,” Palmeri says. “We advise companies to ask cloud providers those questions and to include provisions in their contracts prohibiting their data from being exported to or stored in specific countries subject to U.S. export controls or sanctions laws," she says.

Welcome Guidance

Until the proposed rules, little guidance has been issued for cloud computing and export control items. In 2009 and 2011, BIS issued two advisory opinions in which it “basically took the position that compliance responsibility rested with the cloud user,” Wall says. BIS essentially concluded that cloud providers offer a service, and therefore aren’t “exporters” of controlled technical data.

Enforcement action on this front has also been non-existent, which is “not necessarily surprising, given that a lot of that stuff happens behind closed doors through internal investigations,” Eustice says.

In cases where companies have self-disclosed potential export violations in the course of using cloud computing services, “the agency declined to impose any penalties,” Palmeri says. Why? Probably because agencies understand that this is a new area where export control regulations don’t quite fit, she says.

In March 2014, for example, software-development company Zendesk disclosed in its initial public offering with the Securities and Exchange Commission that it may have violated U.S. export control and sanctions laws, resulting from its acquisition of Singapore-based Zopim, a live-chat software solution provider. Prior to the acquisition, Zopim provided services from servers based in the United States to a number of persons and organizations located in Iran, a country subject to U.S. economic sanctions.

“Zopim also made available for download from the United States certain encryption-functionality software without first having obtained U.S. government authorization to export such software,” Zendesk stated. “In these instances, Zopim may have acted in violation of U.S. export controls and sanctions laws.”

As a condition of the acquisition, Zendesk said that Zopim ended the subscriptions to customers in Iran, screened its customers against a U.S. list of prohibited persons, implemented measures designed to prevent future unauthorized access to the service, and obtained U.S. government permission to export its software.

“It’s important for companies to look at these proposed rules and see what the effect will have been to them and provide comment,” Palmeri says. “The agencies right now really are looking for feedback from industry on what this will mean if these rules are implemented.”