Some of the trickier export compliance issues to navigate are the ones related to computing technology, software and data.
Export controls require a license or license exception for certain types of technical data and software, including such computing technologies as encryption [see related post: License Exception ENC and the Complications Around Encryption].
The growth of cloud computing, and the related concept of Software as a Service (SaaS), have raised new questions about how these rules apply, while simultaneously making the regulations relevant to companies that may not even realize they have an export concern.
The reasons for confusion revolve around two issues:
- Even simple cloud computing events – such as sharing a spreadsheet among coworkers at remote locations – rely on multiple layers of interdependent technology. Sharing that spreadsheet involves software (think Excel or Google Sheets), cloud services (Microsoft Azure) and user data; who has possession of it at any given moment is rarely clear.
- Cloud computing is borderless. Cloud storage is designed to assure uninterrupted access to information, which requires the ability to move and store data among servers located around the world.
According to TechCrunch, two-thirds of worldwide cloud computing activity in 2022 was supported by the cloud infrastructure of just three entities: Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – all of which maintain interconnected data centers around the globe. AWS has data centers in more than 20 countries, including six in China alone, according to Dgitl Infra, which serves the global digital infrastructure industry.
So even if your business operates only in the United States, there is some risk that your export-controlled software or technology is accessible in a foreign location where it doesn’t belong without proper export control authorization. And if you have partners in other countries that handle sales, distribution, manufacturing or aftermarket services, securing access to export-controlled data or technology can be difficult.
Should you be worried? And what steps can you take to prevent the unintentional export of controlled software, technology or data?
So far, neither the Bureau of Industry and Security (BIS) nor the Directorate of Defense Trade Controls (DDTC), which administer the EAR and ITAR respectively, has addressed the issue to a great extent through regulations.
But BIS has published a handful of advisory opinions on the matter, a summary of which is available in the related post: What Happens in the Cloud Stays in the Cloud. The answer depends on your role in the cloud.
Cloud service providers
For the major U.S.-based providers of cloud infrastructure – giants like AWS and GCP – providing “computational capacity” in itself is not subject to the EAR, according to BIS guidance.
This opinion views the cloud service providers like telephone and mobile communications carriers: A carrier like Verizon or AT&T can’t be held responsible for what you say in a phone conversation that’s carried on its network.
There are boundaries to the BIS opinion. If a cloud provider allows access by “foreign persons” to its operating technology – such as technical data and support information that isn’t publicly available – that may in fact become an export subject to the EAR.
Also, cloud services are subject to the same restrictions as any other U.S. entity in providing items to individuals, entities and countries that are under sanction, like Iran and North Korea.
For Software-as-a-Service companies that use the cloud to distribute software functionality that businesses use every day, the questions go beyond storage and retrieval of data.
Examples of these companies include Slack (team collaboration), Salesforce.com (customer relationship management) and Autodesk (CAD/CAM), to name just a few of the thousands that exist. The chances are that you’ll use several SaaS offerings before today is over.
Prior to cloud computing and SaaS, such software would have been made available on CDs or through downloads, which in many instances is a controlled export. But these tended to be housed on individual computers, or available through corporate Local Area Networks, which are relatively easy to secure.
But when CAD/CAM software, as an example, is made available through the cloud, users will create simulations of their own products and manufacturing systems using computer servers that might be located anywhere in the world. Some of these may be for sensitive items, like nuclear power components or navigational systems for the U.S. military.
In such a case, the issue isn’t simply whether they’re exporting software, but that they’re storing details about highly controlled technology.
Since 2016, both the relevant sections of the ITAR (Section 120.54) and the EAR (Section 734.18) have been updated to say that technical data and software are not considered to be exported if the following conditions are met:
- It’s unclassified
- It’s secured with end-to-end encryption (the meaning of which is defined by the regulations)
- It’s secured in a manner which complies with the Federal Information Processing Standards Publication 140-2 or its equivalent;
- It’s not stored in a country under arms embargo (i.e. identified in ITAR 126.1, or in Country Group D:5 in Supplement No. 1 to Part 740 of the EAR.)
Ultimately, it means that SaaS providers must secure their own technology from being exported, but like the cloud service providers, they aren’t likely to be held responsible for the content users place in their network.
Meanwhile, the users of cloud services must take action, including the use of end-to-end encryption, to ensure that their actions are not considered to be exports (potentially requiring a license) under the ITAR or EAR. If the activity is not an export, it logically follows that no license would be required; this is the main advantage of these exclusions from regulation.
End-users of cloud platforms and SaaS systems
With the responsibility of cloud services and SaaS providers limited, the ultimate responsibility for security of information that flows through these systems falls to the end-user. The same regulations that apply to cloud and SaaS entities apply to other businesses as well: Section 120.54 of the ITAR and Section 734.18 of the EAR.
The primary concerns for the end-user are to:
- Determine if their own information is subject to the regulations – regardless of how it may be stored and transmitted [see related post: EAR and ITAR Basics – Getting Started the Right Way];
- Manage export compliance competently and thoroughly as with any other product, service or technology – including responsibility for who accesses controlled software, data or technology outside the United States;
- Ensure data is properly encrypted, if they intend to rely upon an applicable ITAR/EAR exclusion.
Based on industry concerns around these issues, a number of cloud providers now offer what they call government-compliant cloud services. These premium offerings may include things like encryption capabilities that meet the above-referenced federal standard; exclusive storage on servers based in the United States; and operating teams comprised only of U.S. citizens.
For example, the AWS product, called GovCloud US, claims its solutions “comply with FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.”
While these services may offer value, they are also widely misunderstood.
The export regulations define the obligations of exporters, but they don’t prescribe how to meet them.
These premium services aren’t authorized or approved by the U.S. government. So these government-compliant clouds may provide an extra level of security, but they can’t provide indemnity, and they aren’t required in order to be compliant with export regulations.
Do you have questions about the export implications of cloud computing? Visit www.learnexportcompliance.com to learn about our company, our faculty, our staff and our esteemed Export Compliance Professional (ECoP®) certification program. To find upcoming e-seminars, live seminars and live webinars and browse our catalog of 80-plus on-demand webinars, visit our ECTI Academy. You can also call the Export Compliance Training Institute at 540-433-3977 for more information.
Scott Gearity is President of ECTI, Inc.