The International Traffic in Arms Regulations (ITAR) are controls established by the U.S State Department to regulate the temporary import and export of defense articles. While most defense contractors comprehend the implications of ITAR to physical objects, ITAR’s application to data remains unclear to most. The first step to properly identifying technical data and how its controlled for export purposes is having a concise understanding of what technical data is and what it encompasses.
Technical data refers to the unique information required for the development, production and subsequent use of defense articles.
- Development – is inclusive of all the information that is created or gathered before production and may include but is not limited to: layouts, pilot production schemes, testing and assembly prototypes, design research, integration design, configuration design, design concepts, design analysis, and other forms of design data.
- Production – is comprised of all the information generated or gathered during the production stages and may include but is not limited to: engineering, manufacture, assembly, integration, testing, inspection and quality assurance.
- Use – encompasses any information that relates to the installation, operation, maintenance, testing or repair of defense articles.
Technical data also refers to classified data that relates to defense services and defense articles.
Implications of Cloud Computing on Technical Data
The cloud facilitates access to information while expanding the delivery of services. On the other hand, ITAR aims to restrict the flow of information while limiting the provision of services and goods. The contrast between the two creates unique challenges as it relates to compliance for defense contractors who have operations in multiple countries and wish to adopt cloud computing. Some organizations have opted to avoid the cloud altogether and fall back to maintaining separate systems in order to meet ITAR requirements, which tends to be extremely inefficient and costly. In order to fully understand the possible implications of cloud computing on export controlled data, you must first understand what constitutes an export when it comes to technical data.
I. What is an Export?
In global trade, the term export is typically synonymous with large shipping crates being loaded onto ships or wheeled into a large transoceanic cargo plane. However, U.S export control laws are not limited to the movement of hardware across borders. Instead, the regulations also extend to specific technical data. The type of control extended depends on the export control jurisdiction and classification. Export Administration Regulations (EAR) defines an export as the shipment or transmission of items out of the United States, or release of software or technology to a foreign national within the U.S. The ITAR definition of export is analogous.
Technical data is regulated for reasons of foreign policy, non-proliferation and national security; the current law stipulates that technical data should be stored in the U.S and that only authorized U.S persons should have access to it. The existing definition of export was drafted at a time when cloud computing was not in the picture, therefore, the exact application of the term ‘export’ in this space remains unclear.
II. When Does an Export Occur?
When it comes to export control, transmitting data to a cloud platform for storage or manipulation is conceptually similar to carrying a hard copy of the data to another country or sending it via the mail. Transmitting data to the cloud for backup or processing mainly involves copying the data to a remote server. If the server’s location is outside the United States; then uploading export-controlled technical data to it will be deemed and export, as if it had been printed on paper and carried outside the country. This creates an appreciable challenge since, with the cloud, the end-user is not axiomatically privy to the location of the data, and the locations of the cloud server are subject to change.It is important to note that export controlled data doesn’t have to leave the U.S to be considered an export. Under ITAR, technical data should not be disclosed to non-US persons regardless of where they are located, without authorization. Non-US persons encompass any individual who isn’t a lawful permanent resident of the United States. When technology subject to ITAR is uploaded to a cloud server, regardless of whether the provider has made sure that all servers are located within the U.S, and a user from another country accesses it; an export has occurred. Even though the data never left the United States.
III. Who is the Exporter?
Users of cloud services interact with the cloud in multifarious ways; in most cases, the operational specifics are intentionally abstracted by the service provider. Information relating to where the computations are occurring may not be made available to the end-user. However, in the United States, the cloud service provider is generally not considered the exporter of the data that it’s subscribers upload to its servers. Despite the fact that the State Department hasn’t issued a formal directive on the matter, U.S subscribers that upload technical data onto the hardware of a cloud service provider will be considered the exporters of said data in the event of foreign disclosures. Aptly, if ITAR controlled technical data is divulged to a non-US IT administrator of the cloud service provider, it is the subscriber to the service and not the service provider that is deemed the exporter.
The cloud has reshaped the landscape with respect to government, business, and consumer information technologies by delivering enhanced flexibility and better cost efficiencies for a vast variety of services. But the nature of cloud computing increases the chances of inadvertent export control violations. When it comes to ITAR controlled technical data, users are inadvertently vulnerable to unexpected and complex export requirements, and in the event of non-compliance, to drastic potential criminal and civil penalties, including weighty fines and possibly jail time. With that in mind, the next logical suggestion would be to forget cloud file sharing and sync altogether; however, that does not have to be in the case. The Bureau of Industry and Security published a rule in the Federal Register that establishes a ‘carve out’ for the transmission of regulated data within a cloud service infrastructure necessitating encryption of the data. Encryption coupled with a set of best practices can enable you to freely adopt the cloud while remaining ITAR compliant.
Author: Gabriel Lando