Originally published by the Journal of Commerce Magazine - February 2011
It is impossible to pick up a technology publication these days without seeing yet another article about cloud computing and how it is the next great thing to make our lives better, other than the gadgets we all love. While there are likely a number of benefits with cloud computing, for those who deal with products (and their technical data) subject to U.S. export license restrictions, it is a minefield waiting to explode.
There were those who hoped that Commerce’s Bureau of Industry and Security (BIS) would clear things up with its January 11, 2011 Advisory Opinion. Many think it did not, but is that necessarily the only conclusion to be reached? Before we decide, let’s start with a bit of history. In January 2009, BIS issued an Advisory Opinion to a company providing grid and cloud computing services. Put another way, this entity provided the systems others used to support and store their data. Grid computing was described as the servers could be all over the world and would function as a network. Cloud computing was explained to mean accessing the network through the Internet or cloud. The company asked BIS to address five (5) questions.
1) Whether grid and cloud computing services, in the absence of any transfer of software or technology subject to the Export Administration Regulations (EAR), is subject to the EAR under part 734;
2) Whether grid and cloud computing services constitutes an "activity unrelated to exports" under EAR §744.6;
3) Whether grid and cloud computing service providers are "exporters" of any derivative data resulting from the use of the computational capacity and liable for export screening on that basis alone;
4) Whether computational access restrictions found in §740.7(b)(2) of the License Exception APP apply to grid and cloud computing service providers; and
5) Whether the grid and cloud computing service provider must inquire about the nationality of the customer or user.
In its Opinion, BIS did provide an answer to each question, but in summary, the agency said if you simply provide the system which is used for computing, you are not an exporter. Therefore, you are not subject to the EAR. However, if you provide software to the user, you are exporting a product and so subject to the EAR, unless the software is publicly available as defined in the EAR. Further, if manuals, instructions, plans, etc. are provided to users or staff, those, too, are exports and so the EAR again applies. Of course, if the service provider knowingly facilitated activity tied to missiles in Country Group D:4 or chemical/biological weapons, all bets are off. Knowledge is define at EAR § 772.1 - know, reason to know, reason to believe, knowledge, etc., all refer to a "circumstance including not only positive knowledge that the circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence. Such awareness is inferred from evidence of the conscious disregard of facts known to a person and is also inferred from a person's willful avoidance of facts."
Additionally, absent something more than a user-provider relationship, the service provider is not responsible for the content stored on its computers. Perhaps surprisingly, BIS also said the prohibition of giving access to nationals of Cuba, Iran, North Korean, Sudan or Syria to the physical or computational capabilities of the providers computers does not apply because barring access was "impractical." BIS relied for support of this conclusion on the logic that multiple systems could be accessed at a given time, since cloud computing utilizes "combinations of systems at any one time among a larger set of systems" and so it would be "impractical" to know who was accessing which server at which point in time. However, the location of the user had to be taken into account when it came to access by countries listed in Country Group D:4 if the service provider had reason to know the user would be involved in certain missile activity! Finally, as an almost aside, BIS said – don’t forget about OFAC’s restrictions which could come into play.
It is fair to say many thought the 2009 Advisory Opinion only muddied the waters. So, what happened next? The latest Advisory Opinion was issued January 11, 2011 and sought clarification about cloud computing and the deemed export rule. A deemed export occurs when technical data, related to a product which is itself subject to the EAR, is provided to a foreign national in circumstances where no license is in place. In its Opinion, BIS advised that since the cloud computing service provider was not itself an exporter, it would not be making a deemed export if a foreign national had access to the user-generated controlled technology which happens to be on the cloud servers. The concept described above re the service provide exporting product, e.g., manuals, etc., was repeated here to make the point, then an export occurs. Well, okay, so the computer service provider does not have a deemed export issue, but what about the company whose data is being viewed? Why BIS did not take the opportunity to better address that issue has some scratching their heads.
So, what do these Opinions really tell us? Probably more than might appear at first blush. Let’s start with the obvious, if you have a good or its related technical data which is subject to regulation by Commerce (or State for ITAR products), you simply cannot use cloud computing. You have no means to insure that a foreign national does not come into contact with the controlled data. If you cannot limit who has access to controlled data, you cannot put that data into the uncontrolled environment. There is nothing new to that conclusion, but how about this question – if you have controlled data and you have measures in place to limit access, what happens in those circumstances where the sender and receiver are in the U.S., but the servers through which the communications are routed are in foreign countries? How do you make sure the controlled data remains secure? Given how computers are networked and the global positioning of servers, can anyone be sure a message that has been sent remains within the U.S. through the entire transmission process from sender to receiver? By the way, even if your systems and technical data are secure, when was the last time you checked to make sure the controlled data being given to your forwarder is being properly handled? What about by that forwarder’s foreign agents? And yes, how have you factored in the OFAC restrictions?