Archive for the ‘Software’ Category

President Signs Export Controls Legislation Subjecting Emerging and Foundational Technologies to Enhanced Controls

2018/08/30

(Source: Vinson & Elkins LLP, 14 Aug 2018.)

By: David R. Johnson, Esq., drjohnson@velaw.com, +1 202-639-6706; and Daniel J. Gerkin, Esq., dgerkin@velaw.com, +1 202-639-6654. Both of Vinson & Elkins LLP.

The President has signed the National Defense Authorization Act of 2019 (“NDAA”), which, in addition to expanding the jurisdiction of the Committee on Foreign Investment in the United States (“CFIUS”) to review foreign direct investment,1 implements the Export Control Reform Act of 2018 (“ECA”), which sharpens the focus of the U.S. government on emerging and foundational technologies that are deemed not to have been adequately addressed by the prevailing U.S. export control regimes. The NDAA also places limits on the procurement of equipment and services from certain Chinese entities, though certain Members of Congress had adamantly advocated for much more stringent restrictions.

Please find a more detailed discussion of certain of the key aspects of the ECA, as well as the procurement-related restrictions set forth in the NDAA, below.

Export Controls Act of 2018

Permanent Statutory Authority for U.S. Export Controls. With limited exceptions, the ECA repeals the Export Administration Act of 1979, which lapsed several years ago and has been statutorily authorized each year since pursuant to Executive Orders issued under the International Emergency Economic Powers Act (“IEEPA”). Accordingly, the ECA now serves as the permanent statutory authority for the U.S. Export Administration Regulations (“EAR”), which generally govern the export, reexport, and in-country transfer of commercial and dual-use commodities, software and technology, and which are administered by the Bureau of Industry and Security, U.S. Department of Commerce (“BIS”).2

Treatment of Emerging and Other Types of Critical Technologies. In addition to ensuring permanent statutory authority for the existing commercial and dual-use export controls regime, the ECA directs the President, in coordination with the Departments of Commerce, Defense, State, and Energy to develop a “regular and robust process to identify the emerging and other types of critical technologies of concern and regulate their release to foreign persons as warranted regardless of the nature of the underlying transaction.” Specifically, these agencies are tasked by the ECA with identifying “emerging and foundational technologies” that are essential to the national security of the United States, but which are not currently controlled for export purposes.3

The process for identifying such technologies will be informed by publicly available information, classified information, information arising out of the CFIUS review process, and information generated by the various BIS advisory committees, and will take into account the development of such technologies in foreign countries, the effect export controls might have on continuing U.S. development efforts, and the effectiveness of export controls with respect to limiting the proliferation of such technologies to foreign countries.

The identified technologies will, following a notice and comment period, be subjected to enhanced U.S. export controls, possibly to include licensing requirements, and will be proposed for inclusion in multilateral export control regimes. At a minimum, licenses will be required for countries subject to a U.S. embargo, including those that solely are arms embargoed, such as China.4 Please note that license applications submitted by or on behalf of a joint venture, joint development agreement, or similar collaborative arrangement may require the identification of any foreign person with a significant ownership interest in a foreign person participating in the arrangement.

The following activities will be excepted from any licensing requirements:

  • The sale or lease of a finished item and the provision of associated technology if such items and technology are generally made available to customers, distributors, or resellers;
  • The sale or license to a customer of a product and the provision of integration or similar services if such services generally are made available to customers;
  • The transfer of equipment and provision of associated technology to operate the equipment if the foreign person could not use the equipment to produce critical technologies;
  • The procurement by a U.S. person of goods or services, including manufacturing services, from a foreign person if the foreign person has no rights to exploit any technology contributed by the U.S. person other than to supply the procured goods or services; and
  • Contributions and associated support provided by a U.S. person to an industry organization related to a standard or specification, whether in development or declared, including any license of, or commitment to license, intellectual property in compliance with the rules of any standards organization.

The ECA requires reporting to Congress and to CFIUS every 180 days regarding actions taken to identify and control emerging and foundational technologies.

Changes to Licensing Process. The ECA mandates that applications for licenses address “the impact of a proposed export of an item on the United States defense industrial base” and an assessment of whether “the denial of an application for a license or a request for an authorization of any export that would have a significant negative impact on such defense industrial base.” By significant negative impact, the ECA means:

  • “A reduction in the availability of an item produced in the United States that is likely to be acquired by the Department of Defense . . . for the advancement of the national security of the United States, or for the production of an item in the United States for the Department of Defense . . . for the advancement of the national security of the United States.”
  • “A reduction in the production in the United States of an item that is the result of research and development carried out, or funded by, the Department of Defense . . . to advance the national security of the United States, or a federally funded research and development center.”
  • “A reduction in the employment of United States persons whose knowledge and skills are necessary for the continued production in the United States of an item that is likely to be acquired by the Department of Defense . . . for the advancement of the national security of the United States.”

Criminal and Civil Penalties. Like the IEEPA, the ECA authorizes criminal penalties of up to $1 million and imprisonment for not more than 20 years. However, the ECA increases the current inflation-adjusted maximum civil penalty to the greater of $300,000 or twice the value of the underlying transaction. These also are the criminal and civil penalties set forth in the Anti-Boycott Act of 2018.

Treatment of Certain Chinese Telecommunications Equipment Manufacturers and Service Providers

Over the objections of Sen. Marco Rubio, among others, the NDAA ultimately did not reimpose sanctions on Chinese telecommunications equipment manufacturer and service provider, Zhongxing Telecommunications Equipment Corporation (“ZTE Corporation”), and certain of its affiliates, which were subject to a BIS denial order arising out of U.S. export control violations stemming from transactions involving Iran and North Korea. That denial order was terminated, effective July 13, 2018.

The ECA does, however, prohibit federal agencies from procuring or obtaining, or entering into contracts with entities using, equipment, systems, or services that, in turn, use Chinese-origin telecommunications equipment or services deemed to be a “substantial or essential component of any system” or “critical technology as part of any system.” The targeted Chinese-origin telecommunications equipment or services are:

  • Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation or any subsidiary or affiliate of such entities;
  • For the purpose of public safety, security of government facilities, physical security surveillance of critical infrastructure, and other national security purposes, video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Technology Company, Dahua Technology Company, or any subsidiary or affiliate of such entities;
  • Telecommunications or video surveillance services provided by any of the above-named entities or using the above-described equipment; and
  • Telecommunications or video surveillance equipment or services produced or provided by an entity reasonably believed to be owned or controlled by, or otherwise connected to, the Chinese government.

 

Visit our website to learn more about V&E’s Export Controls and Economic Sanctions practice. For more information, please contact Vinson & Elkins lawyers Dave Johnson or Daniel Gerkin.

The changes to the CFIUS review process are discussed in greater detail at http://www.velaw.com/Insights/President-Signs-Sweeping-Expansion-of-CFIUS-Review-of-Foreign-Direct-Investment/.
2 The EAR also encompass the regulations that govern the participation of U.S. persons in unsanctioned foreign boycotts. These regulations now are permanently authorized by the Anti-Boycott Act of 2018.
Please note that the EAR currently allow for the imposition of temporary controls on items in accordance with their interim classification within Export Control Classification Number 0Y521.
4 The ECA also requires a review of the current controls on exports, reexports, and in-country transfers for military end uses and military end users in U.S. and United Nations arms-embargoed countries, as well as a review of the Commerce Control List of items that currently are not subject to any licensing for U.S. arms-embargoed countries.


U.S. Department of Justice (DOJ) – Enhanced Security Plan Sets Best Practices for Use of Cloud Services for Sensitive Data

2018/04/04

By:  Pablo LeCour, Partner, plecour@deloitte.co.uk; Tina Carlile, Senior Manager, ticarlile@deloitte.co.uk; and Ziyu Chin, Senior Consultant, ziyu.chin@deloitte.co.uk. All of Deloitte.

In December 2017 a global software company serving the telecommunications industry settled charges with the U.S. Department of Justice for violating U.S. controls on foreign access to sensitive data, including export controlled information. As part of the settlement, the company agreed to implement an Enhanced Security Plan designed to increase information security by regulating remote access to company networks and transfers of sensitive data.

The Enhanced Security Plan is a helpful benchmark for network providers seeking to protect sensitive information about U.S. telecommunications networks and other critical infrastructure.

Many tech companies develop software using foreign technical personnel both inside and outside of the U.S. The use of a global technical workforce increases the risk of unauthorized access to U.S. controlled information, including sensitive network data and data critical to the U.S. domestic communications infrastructure. Unauthorized access has consequences from an export controls perspective – under the U.S. Export Administration Regulations (EAR) and U.S. International Traffic in Arms Regulations (ITAR) licenses might be required to store U.S. sensitive data in overseas servers or for non-U.S. persons to handle, transmit or access controlled software, technology or technical data that is subject to U.S. jurisdiction. The Enhanced Security Plan provides an example of how these information security requirements can be met by:

  • Requiring authentication and tracking of changes to systems software through code-signing and other means;
  • Restricting access, transmission and storage of certain sensitive data to U.S.-based servers and U.S.-based network infrastructure; and
  • Controlling access by non-U.S. persons and implementing procedures for the proper vetting and licensing of non-U.S. employees and agents.
  • Additionally, the Enhanced Security Plan recommends an effective compliance program that includes the following:
  • Appointing a Security Director with appropriate authority, reporting lines, independence, skills, and resources to ensure compliance;
  • Implementing a Security Policy that describes the management of user identity and access, and building systems that monitor unauthorized attempts to access and screen personnel;
  • Conducting periodic third-party audits of the security procedures and their implementation; and
  • Engaging a third-party auditor to ensure compliance.

Companies doing business with the U.S. government or in connection with critical U.S. infrastructure, as well as companies that handle or use export-controlled technology, software, technical data, and cloud or network services, should review the DOJ Enhanced Security Plan requirements and consider including them within their own compliance programs.


It Never Pays to Use Your Church to Cover Your Export Violations

2016/05/05

By: Danielle McClellan

What does a system analyst for a defense contractor, a church volunteer and an owner of 3 US companies all have in common?  They all involve one woman, who will now spend 57 months in prison, encompassed each, and all at the same time. Hannah Robert, of North Burnswick, New Jersey recently plead guilty to conspiring to violate the Arms Export Act by exporting military technical drawings to India without government approval.

The story begins with Robert being an employee for a defense contractor where she worked as a system analyst and had access to thousands of export controlled drawings that were used for bids on US Department of Defense (DoD) contracts (Robert held this position until November 2012). In June 2010, she became the founder, owner and president of One Source USA LLC where she contracted with the DoD to supply defense hardware items and spare parts. In September 2012, Robert opened another defense company, Caldwell Components, Inc. as well as Once Source India (located in India), with a resident of India (identified on as R.P. in court documents) that manufactured defense hardware items and spare parts.

Between June 2010 and December 2012 Robert illegally exported defense technical drawings for parts used in the torpedo systems for nuclear submarines, military attack helicopters and F-15 fighter aircraft to R.P. in India. Robert and her India counterpart also sold defense hardware items to foreign customers including the United Arab Emirates Ministry of Defence. Hannah Robert volunteered at a church in Camden County, New Jersey, as a web administrator. This allowed her access to the church’s website where she uploaded the defense technical data. She provided her login and password to the church’s website to R.P. so that he/she could download the files. This process went on for two years and was the way in which Robert and R.P. were able to pass the technical information amongst themselves.

Hannah Robert was also faced with the issue of providing US DoD with faulty wing pins for the F-15 fighter aircraft. Robert provided false and misleading material certificates and inspection reports for the parts. The documents also failed to list that the actual manufacturer of the pins was located in India, not One Source USA’s New Jersey location which was listed on all of her DoD bids. The failed wing pins grounded approximately 47 F-15 fighter aircraft and cost DoD over $150,000 to inspect and repair the pins. Robert must pay $181,000 to the DoD to cover the repair costs as well as forfeiting more than $77,000 that she earned from the contracts.

The case was investigated by the special agents of the Defense Criminal Investigative Service’s Northeast Field Office and the special agents of the Department of Homeland Security’s Counter Proliferation Investigations.

More Information: https://www.justice.gov/usao-nj/pr/former-owner-defense-contracting-businesses-sentenced-57-months-prison-illegally


Update Your AESPcLink Software

2014/11/24

By: Brooke Driver

Source: AES Broadcast #2014082

Have you updated your AESPcLink software yet?

If you are having issues with the new Foreign Trade Regulations data fields; Ultimate Consignee Type and License Value not being visible in AESPcLink, please update your AESPcLink software.

To update:

a. Login to AESPcLink

b. Go to ‘Tools’ section

c. Click on Update AESPcLink Software

If you are still having trouble updating your software, please contact the AESDirect Helpdesk at 1-877-715-4433.

For further information or questions, contact the U.S. Census Bureau’s Data Collection Branch.  Telephone: (800) 549-0595, select option 1 for AES.

Email: askaes@census.gov


BIS Publishes Advisory Letter Concerning Screening Requirements for Posting Time-Limited EAR99 Software on Public Website

2013/12/31

By: Brooke Driver

At the end of October, BIS posted a response to an email advisory opinion request sent last March that answered the question “Are free trial periods subject to the EAR?” Specifically, the unidentified inquirer wanted to find out if he/she could skip screening for prohibited parties and embargoed destinations during a 30-day trial period of EAR99 classified software that would be publicly available for download from their website. The individual would then perform the necessary screening after the trial period, when the customer is required to purchase an unlock code to continue using the software.

BIS responded that, technically, the product is subject to the EAR during the 30-day trial period, because the software is only available for free download during a limited time period, and is therefore not publicly available under Section 734.7 of the EAR. Commerce was quick to add, however, that just because the software, in this situation, is subject to the EAR, this does not mean that it is in violation of the regulations. As long as the download is completely free and anonymous and the software distributer has no reason to believe that a prohibited person or entity in an embargoed country will download the product, it is not in violation of the EAR.


RH International, LLC and Owner Mohammad Reza Suffer $10,000,000 fine, 4 Years of Prison and 10 Years on the Denial List

2013/06/18

By: Brooke Driver

On October 18, 2012, RH International, LLC, and its owner, Mohammed Reza Hajian, were convicted of violating the International Emergency Economic Powers Act. RH International was specifically accused of knowingly violating the IEEPA and the Iranian Transactions Regulations by exporting computer and related equipment from the United States to Iran through the U.A.E without attaining the necessary license from the Office of Foreign Assets Control.

Based on the facts that:

  • RH management purposefully violated customs laws and
  • The company did not disclose its violations to BIS

RH International was sentenced to:

  • 10-year denial of export privileges
  • 12 months of unsupervised probation
  • $400 fine

Because the company’s owner and operator plead guilty to direct involvement in and knowledge of RH’s violations, and because he had displayed—by exporting to Iran through the U.A.E.—an affinity for finding illegal loopholes, Reza was charged separately. To prevent Reza from exporting his products as an individual, rather than representative of RH, and to punish him for his actions the court sentenced him to:

  • 10 years on the Denied Persons List
  • 12 months of unsupervised probation
  • 48 months in prison
  • $100 assessment

As if these consequences weren’t severe enough, the court found a loophole of its own; instead of directly demanding a huge fine of RH International, prosecution chose to “reroute” that $10,000,000 fine to Reza himself, who will likely rethink attempting to hoodwink the US government in the future.


Chinese National in US Jailed for Six Years for Exporting ITAR Data

2013/06/18

By: Brooke Driver

On March 25, 2013, Chinese national and former employee of L-3 Communications Holdings Dr. Sixing Liu paid a high price for stealing thousands of computer files that detailed the performance and design of US guidance systems for missiles, rockets and unmanned drones. Certainly this action alone would be enough to merit heavy consequences from the US government; however, Liu did not stop at simply stealing the files, but shared them at universities and government-organized conferences in his home country, apparently hoping to increase his chances of getting hired by a Chinese company.

Paul Fishman, the US attorney assigned to the case, believes that Liu’s nearly six-year prison sentence and conviction on 9 of the 11 counts against him (including possession of stolen trade secrets, violating the Arms Export Control Act and lying to federal agents) were well-deserved: “Instead of the accolades he sought from China, Sixing Liu today received the appropriate reward for his threat to our national security: 70 months in prison.” Unlike Fishman, Liu’s attorney, James Tunick, disagrees with the severity of the sentence, maintaining that the former L-3 employee “made a mistake by having these files on his computer,” but that “he surely did not intend to harm the interests of the United States.”

So, how can we avoid Liu’s fate?

  • Remember that certain files on personal computers require permits in order to be transported, so that laptop you take on an international flight to get some work done, and (let’s be honest) play Angry Birds is considered an export.
  • Action takes precedent over intention. You may not have purposefully violated export laws, but you will–all the same–be punished for those violations.

In other words, knowledge is your best protection.


Change to ITAR Registration Payment Method: Going Virtual

2011/08/29

By: Holly Thorne

Effective September 26, the Department of State will amend the International Traffic in Arms Regulations (ITAR) to change the method of payment to electronic submission of registration fees. This form of electronic registration will simplify the collection and verification of payments for the State, and hopefully also for registrants by eliminating the possibility of “lost” submissions and payments and ensure clarification in the process.

Formerly, ITAR required the respondent to provide separate correspondence via a transmittal letter to certify criminal history, eligibility, and foreign ownership. Often, this mandate was overlooked by the respondent, resulting in the return without action of the incomplete application. The revised DS-2032 incorporates these certifications within the form.

Companies registering on or after October 1, 2011 will be required to submit their payments electronically. Beginning August 2011, registration renewal letters will contain instructions for submitting registration fees electronically.

Individuals and companies engaged in the business of manufacturing, exporting, importing and/or brokering defense articles or services should register with the Directorate of Defense Trade Controls (DDTC) annually. With this change registrants will instead be required to submit registration fees electronically via Automated Clearing House (ACH) payable to the Department of State.

For further information contact: Lisa V. Aguirre, Director, Office of Defense Trade Controls Compliance, Directorate of Defense Trade Controls, Department of State, 2401 E Street, NW, SA-1, Room H1200, Washington, DC 20522-0112; telephone 202-632-2798 or fax 202-632-2878; or e-mail through DDTCResponseTeam@state.gov, with the subject line, “Electronic Payment of Registration Fees.”


EAR Export Controls Amended for High Performance Computers

2011/07/13

By: Anna Barone

The Export Administration Regulations (EAR) have been revised by the BIS to implement changes made to the Wassenaar Arrangement’s List of Dual Use Goods and Technologies, maintained and agreed to by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual Use Goods and Technologies at the December 2009 WA Plenary Meeting.

The changes specifically pertain to:
·    Raising the Adjusted Peak Performance (APP) for digital computers in ECCN 4A003.
·    Revising License Exception APP, the de minimis rule, and post shipment verification reporting requirements in the EAR.
·    The movement of Albania and Croatia from Computer Tier 3 to Computer Tier 1 in the section of the EAR dedicated to export control requirements for high performance computers.

Countries listed in Tier 1 are allied countries or countries that do not pose a national security, nuclear or missile threat to the United States. Tier 3 Countries are all other countries with the exception of the terrorist supporting countries listed in Country Group E:1 of Supplement No. 1 to part 740.

More information on the Wassenaar Arrangement: http://www.wassenaar.org/

More general information: http://www.gpo.gov/fdsys/pkg/FR-2011-06-24/html/2011-15842.htm