Export control is unfortunately yet another thing that should keep you up at night – the mere involvement in your development or delivery process of non-US actors and sales of U.S. based products to other countries expose you to a myriad of poorly defined regulations and risks for your IP and business. Today we´d like to show some of the complexities of U.S. export regulations while at the same time covering two topics potentially relevant to your business and daily operations, Encryption and Cybertools.

Exports and Cybertools

The rapidly growing cyber threats and sophistication of Cybertools is driving increased demand for encryption. The market for encryption products is growing and more developers are building software that integrates encryption. Moreover, the growing prevalence of encryption solutions is challenging and changing legal frameworks that regulates the distribution of encryption technology and its relation to export law.

On Thursday, February 8, 2018, we had the chance to participate in a small group talk with Roszel C. Thomsen II at Nordic Innovation House in Palo Alto. We dare to say that Mr. Thomsen, or simply “Roz” as he is often called, is a guru* in the U.S. when it comes to export regulations. The topic for the talk was Essentials of U.S. Exporting and Importing. In short, Roz described some of the laws and regulations governing the export / import for U.S. focusing on Cybertools and encryption. Roz has already written a blog for uslawfornordics.com, What you should know about U.S. Export Controls and Jurisdiction, which on a high level describes how the export regulation work. This blog will cover the highlights from the talk and some key implications for start-ups.

U.S. And Export Laws – How Do I Know Where to Start?

Like most countries, the U.S. has laws and regulations governing exports. Its export control regulations are the most stringent and far-reaching statutes that apply to encryption technology internationally. In many cases, you need a license issued by an agency of the U.S. government, before you can export your software or hardware, something many smaller companies/start-ups find out too late. No less than 16 agencies (!) have authority to regulate and administer procedures involving export, while another dozen or so have advisory supporting roles. Most interesting are the Export Administration Regulations (EAR), which are very comprehensive, covering all U.S.-origin hardware, software (including source code) and technology. They apply to a broad range of technologies, for example, integrated circuits, aircraft parts, and encryption.

In any export control situation, e.g., anytime you export software or hardware from the U.S., you need to ask yourself three main questions:

1.Which agency (or agencies) have jurisdiction with respect to the proposed transaction?

Among all the agencies you have to identify which of these have authority to give you the kind of license you need. As mentioned there are many different agencies and they all serve different purposes

2. What is the classification of the items of interest?

For encryption, you need to know if the classification is civilian or military, which can seem arbitrary in many cases. However, it is critical to understand because if it’s classified as a military item according to U.S. standards, it will fall under the military category with basically zero chance to get an export license for a private company.

One mentioned example was the drone space because there is a concrete dilemma the manufacturers are facing. If you have a high-performance drone, even if it is loaded with less complex software, it will likely be classified as military tool. To avoid this classification, some players instead choose to use a simpler drone with more sophisticated software to compensate for the lower grade hardware (if possible).

3. Do I need an export license or other approval to engage in the transaction?

This will be dependent on who are you exporting to, where they are located and what their use of that technology may be. This may sound easy, but we got a real-life example from Roz, that I think most people are not aware of. Under the Export Administration Regulations, a release of technology to a person who is neither an American citizen nor a “protected individual” is considered (or deemed) to be an export to the home country of the foreign national. This means that if you share information with your co-worker that relates to encryption you may need to seek an export license if your co-worker is neither an American citizen nor a protected national. Alternatively, if you’ve already shared the information without the proper license you may have to report to the U.S. government that you have breached the export regulations!

Exporting to U.S. Sanctioned Countries

Even if you manage to navigate around the myriad of U.S. export agencies, laws and regulations, many exporters fail to devote sufficient resources to compliance with US sanctions administered by the OFAC (Office of Foreign Assets Control). U.S. sanctions cut across every export control. Roz tells us about one of his clients, a Japanese company, that developed European headsets at a subsidiary on Stockholm, Sweden. The Japanese company used a design expert team from another subsidiary in San Diego, California. Further, the Japanese company intended to implement Finnish software as an operating system into the headset and wanted to sell the equipment to Russia. Because there was a U.S. entity involved, even if only as a design expert, and an export transaction to a country who is on the sanction list of OFAC (Russia) the Japanese company had to seek the appropriate certification required for export sale to a U.S. sanction country. Effective OFAC compliance is critical, whether a company exports weapons or widgets, and ignoring it could result in your company violating international sanctions unintentionally.

Cybertools

Modern Cybertools are often defined as dual use, i.e., not only military but also for civilian applications. They are difficult to define, except by way of example, and the regulatory standards are quickly being overtaken by technology. Both government and private sector recognize the need for Cybertools to secure and manage cyber assets (e.g., testing for vulnerabilities is a critical defense mechanism) but also share a concern of their availability for illegitimate actors for malign purposes. With cyber attacks typically crossing borders and company domains, the regulation of Cybertools is increasingly complex and falling behind actual use. The main concern is that the use of Cybertools evade national boundaries and may threaten national securities if they are used with illegitimate purposes, why it is essential that countries promote transparency and take a greater responsibility in the transfer of these dual-use goods.

There are different kind of Cybertools impacted by this, Roz mentioned the following:

• Surreptitious intercept
• Lawful intercept
• Data monitoring
• Data retention
• IMSI catchers
• IP Network Surveillance Systems
• Intrusion Software
• Digital forensics

 Export Controls on Artificial Intelligence – Where Do We Stand?

There is currently no clear guidance on how to structure the export classification mechanism for AI applications in the U.S. export regulations. Export control for AI is not new, initial steps were actually taken already in 1992 to set a legal framework around “neural networks”. Both U.S. and the international Wassenaar Arrangement, a multilateral arrangement of 40 nations regulating how weapons are exchanged, have recognized its importance for international trade and are committed to updating their treaties to include AI, but neither has come to any clear conclusions or decisions yet.

Sooner or later, new or updated regulations on AI-related control items will be released from the U.S. export control agencies and multilateral export regimes like Wassenaar and it will be crucial that people with the right understanding of the technology are highly involved in the drafting process the regulations. This could be an issue by itself as leading private companies within AI are taking very different approaches to sharing and releasing fundamental components of their research on AI which, in effect, is needed to fully understand what and how to regulate AI. Some of the leaders fall into two really clear categories;

1. IBM and Microsoft -they invest heavily in fundamental research on AI and publish a lot of their development and findings, and who have been continuing to work with the Wassenaar member states and the security community to find a balance between the needs of security researchers and regulators; and
2. Amazon and Apple – they invest heavily in the development of AI but publish little of their findings and applications and tend to see fewer benefits from mutual decisions about how to categorize AI for export control on a multinational (or national) level.

Others like Facebook and Google fall somewhere in between these extremes.

Final Words

In conclusion, I must say that judging by the complexity of export regulations and rapid pace of the development of technology, Roz and other lawyers involved in export regulations have an important role to play and there is a need to have someone representing the industry in the evolvement of export regulations for encryption and Cybertools as the current legislation is not formed to fit tomorrow’s (or today’s!) technology.

*ROSZEL C. THOMSEN is a partner in the law firm of Thomsen and Burke LLP, with offices in Washington, DC and Baltimore, Maryland.  Mr. Thomsen concentrates on international trade and investment law, with emphasis on representing information technology and life sciences companies and their trade associations in regulatory, legislative and enforcement matters. Active in many government-industry partnerships, Mr. Thomsen currently is a member of the Steering Committee on the U.S. Federal Bureau of Investigation’s Information Technology Study Group, as well as a member of the U.S. Commerce Department, Bureau of Industry and Security’s Information Systems Technical Advisory Committee.  Mr. Thomsen also has participated twice as an Industry Representative on the United States Delegation to the Wassenaar Arrangement on Dual Use Export Controls in Vienna, Austria.  In recent years, Mr. Thomsen has participated in bilateral discussions with the governments of China, India and the Russian Federation in connection with their development of trade controls with respect to cryptography. Mr. Thomsen is listed in The Best Lawyers in America, a co-author of United States Export Controls, and an editor of the Journal of Internet Law. He has lectured at many universities, trade associations and other conferences on trade controls, in general, and cryptography, in particular.