Hackers for Hire – Ye be warned

Hacker Image - hand at keyboard

I’ve written several blogs on the topic of Deemed Exports, Presence as it relates to Deemed Exports and Reasonable Care, all of which explain how U.S. companies and individuals can run afoul of export regulations without physically exporting a product.

  • Deemed export is defined: As any release of technology to a foreign national within the United States. Technology is released for export when it is (i) made available to foreign nationals for visual inspection, (ii) exchanged orally, or (iii) made available by practice or application under the guidance of persons with knowledge of the technology.

In a first-of-its-kind move, the U.S. Department of Justice (DOJ) has entered a Deferred Prosecution Agreement against three former employees of the U.S. Intelligence Community, charging them with the export of their computer hacking skills. The three agreed to pay more than $1.68 million to resolve these criminal charges. You can read the legal summary here:

The “deemed export” regulation states that a transfer of “technology” (EAR term) or “technical data” (ITAR term) to the foreign person is “deemed” to be an export to the home country of the foreign person. Accordingly, for all controlled commodities, a license or license exception is required prior to the transfer of “technology” or “technical data” about the controlled commodity to foreign persons inside the U.S. 

This first-of-its-kind resolution involved two distinct types of criminal activity: providing unlicensed export-controlled defense services in support of computer network exploitation (hacking), and a commercial company creating, supporting, and operating systems specifically designed to allow others to access data without authorization from computers worldwide, including in the United States.

Deemed Export is a tricky area of export regulation. Below are some definitions that may help you better understand your responsibility in this area.

“Technology” or “Technical Data”

These phrases refer to technical information beyond general and basic marketing materials about a controlled commodity. They do not refer to the controlled equipment/commodity itself, or to the type of information contained in publicly available user manuals. Rather, the terms “technology” and “technical data” mean specific information necessary for the development, production or use of a commodity, and this usually takes the form of blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering specifications and documentation. The “deemed export” rules apply to the transfer of such technical information to foreign nationals inside the U.S.

“Use” Technologies

The routine “use” of controlled equipment by foreign nationals (e.g., using it in the ordinary way specified in the user manual, in such a manner that does not disclose technical information about the equipment beyond what is publicly available, does not require a license).

However, a license may be required if a foreign national is “using” the equipment in such a way as to access technical information beyond what is publicly available (for example, accessing the source code of software or modifying a piece of equipment in such a way as to gain non-publicly available technical information about its design.) This is what our hackers were accused of.

“Published” Information

Information is “published” (and therefore not subject to export controls) when it becomes generally accessible to the interested public in any form, including:

  1. Publication in periodicals, books, print, electronic or other media available for general distribution (including websites that provide free uncontrolled access) or to a community of persons interested in the subject matter, such as those in a scientific or engineering discipline, either free or at a price that does not exceed the cost of reproduction and distribution;
  2. Readily available at libraries open to the public or at university libraries;
  3. Patents and published patent applications available at any patent office; and
  4. Release at an open conference, meeting, seminar, trade show, or other open gathering held in the U.S. (ITAR) or anywhere (EAR).

Note, a conference or gathering is “open” if all technically qualified members of the public are eligible to attend and attendees are permitted to take notes or otherwise make a personal record of the proceedings and presentations. A conference is considered “open” notwithstanding a registration fee reasonably related to cost, and there may be a limit on actual attendance as long as the selection is either ‘first come’ or selection based on relevant scientific or technical competence.

Some examples of a Deemed Export
  • A: visit to your facilities; visual inspection of technology/data; providing of technical assistance; or shared work with foreign nationals.
  • Q.: Hey!  We have several foreign employees in our company. Are you saying that I can’t collaborate with a member of my own engineering department just because he is Chinese?
  • A.: Perhaps. 

Classification under the Commerce Control List (CCL) is the key to exporting with confidence. Knowing your products Export Classification Category Number (ECCN) will help you understand why the export is controlled, where the item can be exported without a license and to what countries the item must be licensed prior to shipping.

Your firm would likely need a license for those foreign national engineers and technical people who work in the divisions with the controlled technologies. Your firm would probably not need licenses for those individuals who do not normally come into contact with the controlled technologies, such as those in administrative areas. However, you should review the job descriptions of all your foreign national employees. For example, technical managers and technical training personnel who are NOT located at sensitive departments may need access to the controlled technologies in order to do their jobs, and so you may need to have deemed export licenses for technology transfer to them.

A good practice is to request a commodity jurisdiction from the U.S. State department. A commodity jurisdiction (CJ) request is used to determine whether an item or service is subject to the export licensing authority of the Department of Commerce or the Department of State. It is important that you understand, a CJ determination will only identify the proper licensing authority for an item and is not a license or approval to export.

Your Chinese engineer located in your U.S. facility may be unauthorized to participate in your project.

Noteworthy – the Department of Homeland Security’s U.S. Citizenship and Immigration Services (USCIS) now requires all employers to assess whether an export license must be obtained prior to hiring any H1-B employee, and to certify those findings. The certification requirement implements ITAR and EAR regulations.

Do these rules really apply to me?

Any foreign national is subject to the “deemed export” rule except a foreign national who (1) is granted permanent residence, as demonstrated by the issuance of a permanent resident visa (“Green Card”); or (2) is granted U.S. citizenship; or (3) is granted status as a “protected person.” This includes all persons in the U.S. as tourists, students, businesspeople, scholars, researchers, technical experts, sailors, airline personnel, salespeople, military personnel, diplomats, etc. Keep in mind, although the deemed export rule may be triggered, this does not necessarily mean that a license is required.

U.S. entities must apply for an export license under the “deemed export” rule when both of the following conditions are met:

(a) You intend to transfer controlled technologies to foreign nationals in the U.S.; and (b) the transfer of the same technology to the foreign national’s home country would require an export license.

What you need to do:

It is beyond the scope of this blog to offer legal advice and thus should not be construed as legal advice. Individuals seeking further information on the Deemed Export Rule or other export matters should consult with their company’s legal counsel and personnel responsible for export compliance prior to addressing any export concerns.

Wow, perhaps I should have started off with the above statement and saved you all the pain of reading this.

So here it is. If you have doubts after you’ve exhausted all of the other resources you could find, contact your legal counsel and get it straight from them, but in the meantime, memorialize your foreign national access controls by including them in a robust export management system and stick to your plan. The USCIS form I-129 requires you to certify that you have reviewed the export control requirements applicable to the individual and determined whether a deemed export license is necessary.

Follow the steps outlined above and understand what technical capability your product has that may be of concern to the government by requesting a Commodity Jurisdiction from the State Department, then follow the rules and guidelines based on their determination. It will either be ITAR or EAR. Determine whether an export license is required or if an exception exists.

If you would like to explore this topic further or require assistance with your program, please reach out and contact me directly.