|
|
U.S. EXPORT CONTROLS PAST, PRESENT AND FUTURE
(1998 Edition)
by Roszel C. Thomsen II
There were a number of important changes to U.S. export controls in 1998. The regulatory changes are described in detail, with accompanying citations to the Federal Register, in our Summary of Final Rules, Proposed Rules and Notices Published in the United States Federal Register by the Commerce, State and Treasury Departments Amending Provisions of the Export Administration Regulations, International Traffic in Arms Regulations, Foreign Asset Control Regulations and Foreign Trade Statistics Regulations During 1998.
This memorandum attempts to isolate the most important regulatory developments and place them in context. They fall into five topical categories: (1) computers, (2) cryptography, (3) sanctions, (4) satellites and (5) Wassenaar. Each of the first four topical categories is discussed in four dimensions: (A) legislation, (B) regulations, (C) enforcement, and (D) recommendations. Wassenaar is a separate subject.
As you will recall, on November 18, 1997, Congress passed the National Defense Authorization Act for Fiscal Year 1998 (“NDAA”, Public Law 105-85). Title 12, Subtitle B, Sections 1211-1215 of the NDAA imposed new requirements on exports of computers under License Exception CTP. Under Section 1211 of the NDAA, a company that intends to export or reexport a computer having a composite theoretical performance (“CTP”) between 2,000 and 7,000 million theoretical operations per second (“MTOPS”) to a Computer Tier 3 country (e.g., China, India, Israel and Russia) must provide advance notification to BXA. In addition, if a company knows that an item will be used to upgrade a computer beyond the eligibility limit for that country, then it must file an advance notification with BXA. Under Section 1213 of the NDAA, post-shipment verifications are required for exports of computers with CTP greater than 2,000 MTOPS to Tier 3 countries.
Congress did not pass any additional legislation with respect to high performance computers in 1998. However, the so-called Cox Committee held a number of hearings on the subject of computer export controls and should release its report in January of 1999. In addition, The Commerce Department’s Bureau of Export Administration (“BXA”) published important regulations implementing the NDAA, and BXA’s Office of Export Enforcement collected the largest fine ever for violations of the export controls on computers.
BXA published regulations amending the Export Administration Regulations (“EAR”) implementing the NDAA Notification Procedures on February 4, 1998. These regulations set forth the procedures for filing of NDAA Notices on BXA’s Multipurpose Application Form (BXA-748P). In addition, BXA published regulations implementing the NDAA Post-shipment Verification Reporting Procedures on November 12, 1998.
Although these are important regulations, perhaps the most troubling aspect of export control practice and procedure under the NDAA is the evolution of unwritten “policies” that are being implemented by BXA. For example, BXA’s licensing staff routinely is rejecting NDAA notifications that have been filed by parties other than the manufacturer. BXA’s enforcement staff clearly has targeted as subjects of its investigations freight forwarders that do significant business with China. This area is ripe for further unwritten licensing “policies” and sub rosa investigations, especially if the Cox Committee’s report singles out BXA’s management as being lax in its implementation of computer export controls.
As an early warning indicator of just how ugly the situation with respect to export controls on computers could turn in 1999, one need look no farther than IBM. On July 31, 1998, a U.S. District Judge in Washington, D.C., imposed a criminal fine of $8.5 million on IBM East Europe/Asia Ltd. for exporting computers to Arzamas-16, a Russian nuclear weapons laboratory. In addition, BXA imposed a civil penalty of $171,000, the maximum permitted under the charges. IBM also relinquished its ability to use license exception CTP for a period of two years, as part of its administrative settlement. This represents the largest penalty ever imposed for violations of the EAR!
The computer industry needs to assemble a coalition of supporters from the machine tool, aerospace and other industries that would be negatively impacted if the Cox Committee’s recommendations result in further tightening of the export controls on computers. Such a coalition could be an effective counterweight to the unreconstructed Cold Warriors, who would cripple this vital industry in the name of national security.
The computer industry also should establish a uniform set of principles that guide export practices, similar to the Sullivan Principles that guided trade with South Africa during the Apartheid regime. Such a set of principles might allow the computer industry to seize the moral high ground in the export control debate, and avoid being stigmatized as a bunch of greedy, unprincipled profit maximizers.
Finally, the computer industry should propound uniform due diligence practices for sales in Tier 3 countries, so that all companies can compete on a level playing field in these difficult markets. This goal is ambitious, but the computer industry faces significant challenges in 1999, and needs to consider dramatic, proactive steps to avoid “rollbacks” in the current export control policy.
Industry and the privacy rights community lobbied long and hard for legislation to reduce the onerous export controls on cryptography in the 105th Congress. The Americans for Computer Privacy did an admirable job of erecting a “big tent” that included a broad spectrum of interests, and it launched the first ever “grassroots” campaign to enlist public support.
Nonetheless, encryption export control reform died sometime before the 105th Congress finally adjourned. H.R. 695, the Security and Freedom through Encryption (SAFE) Act, which counted among its co-sponsors over half the Members of the House of Representatives, never got out of the Rules Committee. S. 2069, the E-Privacy Act, also never really gained momentum.
Some of the pressure on the Clinton Administration’s encryption export control policy was relieved by two regulations that were published late in 1998. These regulations adopted some of the principal provisions of the SAFE and E-Privacy Acts, like decontrol of cryptographic products for electronic commerce, and decontrol all cryptographic products with encryption key lengths of 56 bits or less.
BXA published two regulations amending the export controls on encryption in important respects in 1998.
On September 22, 1998, BXA published a rule that implements important reforms with respect to cryptographic products used in electronic commerce. This rule authorizes exports of general purpose, non-voice cryptographic products to banks and financial institutions. It also authorizes exports of financial specific cryptographic products designed for electronic commerce applications (e.g., implementing the Secure Electronic Transactions protocol for encrypting credit card information). (In addition, this rule cleaned up some of the mistakes found in the last comprehensive re-write of the encryption rules, back in December of 1996.)
On December 31, 1998, BXA published a rule that implements the Vice President’s announcement of September 16, 1998 with respect to cryptographic export controls. This rule increases the decontrol limit from 40 to 56 bits for general purpose cryptographic products. It also extends favorable licensing treatment beyond U.S. subsidiaries and banks to include for the first time insurance companies, health and medical end-users and on-line merchants. Perhaps the most interesting and innovative aspect of the new regulations is that so-called “recoverable” products allowing law enforcement to obtain access to plaintext with the assistance of a network administrator may be exported to foreign commercial end-users in 42 countries.
These reforms represent a step in the right direction. However, the encryption export control debate is far from over. Unfortunately, the “fine print” in these complex regulations, like the one-time technical review and reporting requirements, effectively remove much of the benefit that industry had expected to receive. The debate is likely to continue well into 1999, and beyond.
Neither the Justice Department nor the Commerce Department concluded an enforcement action worthy of reporting. However, there are two interesting First Amendment challenges to the export controls on encryption that are proceeding through the courts.
When he was a graduate student at the University of California at Berkeley, Daniel Bernstein wrote a software program known as “Snuffle” as a part of his Ph.D. dissertation in computer science. Prohibited from publishing his source code in electronic form on the Internet by the export controls on cryptography, Bernstein filed suit in the Northern District of California, alleging that the export control regime infringed his right of free speech under the First Amendment. See Daniel Bernstein vs. United States Department of State et al., 974 F. Supp. 1288 (N.D. Cal. 1997).
Judge Marilyn Hall Patel ruled that computer source code is speech, eligible for protection under the First Amendment. She issued an injunction prohibiting the Commerce Department from enforcing the export controls on encryption under the EAR against Daniel Bernstein and his “Snuffle” encryption source code.
Judge Patel’s injunction was stayed, pending a decision on the Justice Department’s appeal to the Ninth Circuit Court of Appeals. Although the Ninth Circuit held oral arguments on the Justice Department’s appeal of Judge Patel’s ruling, it did not issue its decision in 1998.
Across the country, in the District of Columbia, Phil Karn, an engineer with Qualcomm, Inc., is litigating a similar issue in Karn vs. Department of State. Karn filed suit in the U.S. District Court for the District of Columbia, alleging that the Department of State denied his right to export a diskette containing cryptographic source code published in Bruce Schneier’s textbook, Applied Cryptography. Although the diskette and the book contain identical information, the diskette requires a license for export, and the book does not.
Judge Charles R. Richey ruled that Karn’s First Amendment claim was “meritless”. See Karn vs. United States Department of State et al., 925 F. Supp. 1 (D.C.D.C. 1996). Karn appealed to the Court of Appeals for the District of Columbia Circuit. On January 1, 1998, the case was remanded back to the District Court for further consideration in light of the transfer of jurisdiction from State to Commerce in the fall of 1996.
In the short term, the export licensing system is likely to get badly backlogged, as companies file applications for commodity classifications, licenses and encryption licensing arrangements to take advantage of the new encryption policy. Companies should file early where possible in order to be at the front of the queue.
In the intermediate term, the Clinton Administration has promised that it will conduct an annual review of the encryption export control policy, beginning early in 1999. The prospects for further reform are cloudy. The Clinton Administration’s export control policy with respect to encryption has been characterized by a periodic build-up in pressure, followed by a significant change approximately every second year. The limits of this approach are recognized, however, and there may be a possibility for incremental reforms in 1999, if industry can stay focused and coordinated.
In particular, there is a good opportunity to build on the precedent established for the export of “recoverable” products. Further progress might involve expanding the scope of products that are exportable to include managed end-systems, expanding the countries and end-users to which those products might be exported, streamlining of onerous reporting requirements, and other similar efforts.
Nevertheless, industry should remain cognizant of the fact that Congressional pressure has been a critical element in forcing the Clinton Administration to implement even modest reforms. Republican leaders in the Senate appear willing to consider legislation in the 106th Congress. We should try to capitalize on this opportunity.
Legislation imposing sanctions against foreign countries has been one of the most popular means at Congress’s disposal to deal with activities by foreign governments that are unpopular. Since 1993, the U.S. has imposed more than five dozen sanctions on nations charged with violating human rights, trading unfairly or spreading weapons of mass destruction. Targets of sanctions have ranged from rogue regimes, like Libya and Iran, to allies, like Canada and Italy.
The explosion of nuclear weapons by India and Pakistan in May of 1998 demonstrated the limited utility of economic sanctions. The so-called Glenn Amendment automatically triggered sanctions against India and Pakistan, even after they had acquired and tested the weapons of mass destruction that such sanctions were designed to deter. Foreign competitors moved promptly to take advantage of business opportunities that American companies could not pursue.
In retrospect, the sanctions against India and Pakistan may have been a high point in the use of sanctions. At the end of the 105th Congress, the so-called Brownback Amendment (Pub. L. 105-277, Sections 901-905) lifted some of the sanctions related to financial investments in India and Pakistan. Although the export control sanctions remain in effect, we expect that they will be construed narrowly, and may be removed selectively once Congress provides authority to do so.
BXA implemented sanctions against India in two waves. The first wave of sanctions was published only on the BXA web site, and implemented a new policy that BXA would deny applications to export products and technologies controlled for nuclear and missile proliferation reasons under the Glenn Amendment. The second wave of sanctions was published not only on BXA’s web site but also in the Federal Register on November 19 and 29, 1998. It consisted of new regulations extending the embargo to a broader list of products and technologies that might be exported to government, parastatal and military entities in India and Pakistan.
In addition to sanctions imposed against India and Pakistan by BXA, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) published regulations implementing sanctions for the first time under Executive Order 13047 against Burma in May and under Executive Order 13067 against the Sudan in July. OFAC also fine-tuned existing sanctions against Cuba, Iran, Iraq, North Korea, Serbia and Montenegro in response to political developments in 1998.
The most interesting enforcement case involving a sanctioned country is United States vs. Fiber Materials Inc. In March of 1995, Walter Lachman and Maurice Subilia, top executives of Fiber Materials Inc. ("FMI") were convicted of illegally shipping controlled items to India. The case hinged on the definition of “specially designed”, a term that is used in over 100 Export Control Classification Numbers (“ECCNs”) on the Commerce Control List.
The Federal District Court in Boston has been considering FMI’s motion to set aside the jury verdict for several years. Nonetheless, considering the fact that the EAR does not contain a definition of “specially designed” and absent a final judgment in the case of FMI, exporters enter 1999 still not knowing whether their products are classified properly. This should be intolerable not only to the exporting community but also to BXA. It is time to publish a definition of “specially designed”!
Industry’s opposition to sanctions legislation has been essentially reactive, in the past. Typically, bills to impose sanctions are introduced, and industry opposes the bills on an ad hoc basis.
Arguably, 1999 would be a good year to introduce legislation that would place broad constraints on the imposition of unilateral export controls, perhaps in the context of a bill to reauthorize the Export Administration Act (“EAA”). Neither the Clinton Administration nor industry expressed great enthusiasm for legislation to reauthorize the EAA in the 105th Congress. However, failure to seize the initiative dooms industry to a continuing series of battles that drain resources just to keep the existing situation from getting worse.
Sooner or later, industry must seize the initiative and take a more proactive position in opposition to unilateral export controls, or it risks “death by a thousand cuts”.
You may recall that the State Department transferred jurisdiction with respect to commercial satellites to BXA in 1996. Early in 1999, jurisdiction with respect to commercial satellites will revert from BXA to the State Department after one of the most brutal export control battles in 1998.
In Section 1513 of the National Defense Authorization Act for the Fiscal Year 1999 (Pub. L. 105-261) Congress formally transferred all satellites and related items from the Commerce Control List to the United States Munitions List, effective March 15, 1999. The statute also makes it clear that Congress is unhappy with BXA’s approach to safeguarding the national security. “United States business interests must not be placed above United States national security interests…. Due to the military sensitivity of the technologies involved, it is in the national security interest of the United States that United States satellites and related items be subject to the same export controls that apply under United States law and practice to munitions.”
The primary question now is whether the Clinton Administration will implement the statute in accordance with Congressional intent. Rumors abound that a draft executive order circulating inter-agency would give the Commerce Department a formal review of all applications for satellite export licenses and make the commercial welfare of the United States satellite industry a factor that may be considered in whether to approve an export license application. If implemented, this review would represent the first time that the Commerce Department had a formal role in State Department licensing.
In 1998, Boeing agreed to pay a $10 million civil penalty to settle charges that it had improperly transferred military technology to its Russian and Ukranian partners in a commercial satellite venture known as “Sea Launch”. This is the largest civil penalty ever imposed by the State Department under the Arms Export Control Act. A criminal investigation is continuing.
The Boeing settlement could be the prelude to even more significant cases against Hughes and Loral, which allegedly provided technical assistance that was used to improve the accuracy and reliability of Chinese ballistic missiles. The investigation is ongoing, and will bear watching in 1999.
The transfer of jurisdiction with respect to satellites from Commerce to State is a bad precedent. If this transfer can happen with satellites, could it happen to cryptography, or even computers? If there is a silver lining to this dark cloud, however, it may be in the executive order or memorandum of understanding accompanying the transfer, which could provide for the Commerce Department to assume a broader role in licensing of articles on the U.S. Munitions List. Not only the directly affected aerospace companies, but all exporters could benefit from such a recognition that competitive factors play an important role in all export licensing determinations.
BXA published important changes to the Commerce Control List implementing provisions of the Wassenaar Arrangement on January 15, 1998. These changes reflect agreements reached at the meeting held in July of 1996 in Vienna.
For example, the control level governing microprocessors classified under ECCN 3A001 was increased from 80 million theoretical operations per second (“MTOPS”) to 260 MTOPS. The control level governing digital computers classified under ECCN 4A003 was increased from 260 MTOPS to 2,000 MTOPS. The control level for “communications channel controllers” on routers and switches was increased from 64,000 bits per second to 2.1 million bits per second. The control level for “network access controllers” on routers and switches was increased from 33 million bits per second to 156 million bits per second.
Nevertheless, most products that are released from multilateral export controls under Wassenaar remain subject to unilateral foreign policy controls and continue to require licenses for export to embargoed and terrorist countries. This requirement creates unnecessary complexity for companies that must review numerous ECCNs and reclassify products as subject to “AT” controls, rather than simply defaulting to “EAR99”.
Finally, the Wassenaar implementing regulation imposed new reporting requirements with respect to exports of certain products. Reports are required to be submitted to BXA semiannually for specified items controlled under the Wassenaar Arrangement exported under License Exceptions LVS, GBS, CIV, CTP, TSR and GOV.
In December of 1998, the Wassenaar member countries held another Plenary Session, and agreed to further streamlining of the control lists and reporting requirements. We anticipate that these changes will be published in the Federal Register sometime in the first quarter of 1999. As a result, many companies will have to overhaul their classification matrices yet again in early 1999, in order to take maximum advantage of the new control lists and the relaxation of reporting requirements that were agreed to by the Wassenaar member countries.
We anticipate that approximately one new change to the export control regulations will be published every third business day during 1999, based on historical patterns. In addition, we expect that there will be new bills introduced to the Congress that would increase export controls on computers after release of the Cox report, new bills to decontrol cryptography modeled after the SAFE and E-Privacy bills, and more frustration on all sides with respect to sanctions. As in the past, we will keep you informed of new developments monthly.