Where Industry and Security Intersect
What's New | Sitemap | Search
Second, and perhaps more importantly, the topic is actually a bit of a misnomer as relates to the U.S. because the U.S. has not really implemented intangible technology controls as such. Unlike most of the other countries here, we make no distinction, for export control purposes, between tangible and intangible transfers. Rather, our transfer controls govern the export or transfer of technology in general-- the mode or medium of the transfer is not relevant.
Thus, I thought a better approach might be to discuss the control of certain dual-use technologies, which can be reduced to an intangible form. More specifically, those dual-use technologies that pose certain national security and/or proliferation risks. (Just to be clear, I am not talking about arms, nor am I talking about nuclear equipment, materials or technology.)
My discussion will address four issues regarding intangible transfers of technology: (1) the basis for U.S. export controls, (2) the legal/regulatory framework that has been established to control intangible transfers of technology, (3) the legal/ regulatory framework that has been established to control intangible transfers of encryption software, and (4) export regulation in an E-Commerce marketplace.
The basis for the United States controlling intangible transfers of technology can be discerned from the way we view export controls. That is, we make only one determination-- whether a commodity, as well as the technology relating to the production, use, or development of that commodity, should be controlled. If it is determined that the commodity and the technology relating thereto should be controlled, then we control it-- period. No further inquiry is made.
The U.S. is first, foremost, and solely concerned with controlling the technology we have determined should be controlled. As such, the medium by which the technology is transferred-- whether via the Internet, by oral communication, or by putting the blue prints in the mail-- is wholly irrelevant. I realize this may be different than the way other countries view export controls, but it is our view and the basis for our legal framework.
Now that I have explained the basis for our controls, the question is, how do we do it? Well, that is where the legal framework comes in. Although, to be honest, the really hard part of controlling intangible technology transfers is enforcement. Assistant Secretary Amanda DeBusk will talk to you about that however, I get the easy part-- explaining the legal framework.
As I said at the outset, the U.S. system has long applied to both tangible and intangible transfers of technology. Our regulations define technology as: specific information necessary for the development production or use of a product. The information can be either technical data, generally tangible technology, or technical assistance, generally intangible technology.
The United States has adopted a very broad and sweeping approach to controlling the export and reexport of technology and software to destinations outside of the U.S. And while there are exceptions, (i.e. information resulting from fundamental research, educational information, patent applications, and others), what is most significant is that our controls are maintained for any and all transfers to persons and/or destinations outside of the U.S.-- notwithstanding the means by which the transfer occurs. I should note, parenthetically, that most exports from the U.S. do not require a license because of the number of license exceptions available to regime list members and to other low risk destinations. We try to focus our license requirements, therefore, on destinations of concern.
Our regulations provide that technology or software is "released for export" in one of three ways: (i) visual inspection by foreign nationals of U.S.-origin equipment and facilities, (ii) oral exchanges of information in the United States or abroad, or (iii) the application to situations abroad of personal knowledge or technical experience acquired in the United States. And any such "release" of controlled U.S. technology or software is subject to control under U.S. law. This concept is fundamental to U.S. controls of intangible transfers. And the term "release" is expressly incorporated in our deemed export rule and our deemed reexport rule, both of which have intangible transfer components.
. The Deemed Export Rule. The deemed export rule states that any release of technology or software, subject to U.S. export regulations, to a foreign national is deemed to be an export to the home country or home countries of that foreign national. (This rule does not apply to those persons who are permanent residents of the U.S.) Here is how this rule works in practice. Let’s say a national of "country A", which is a country of concern, comes to the U.S. to work at a large chip manufacturing company. And in order for him to perform the job for which he was hired, it will be necessary for him to be privy, through oral communication, to U.S. controlled technology.
This U.S. chip manufacturing company, having a very rigorous export compliance program with an extremely knowledgeable staff, quickly realizes they may need to obtain an export license for the national of "country A" because release of this U.S. controlled technology will be treated as if the technology had been shipped to "country A." So while the transfer is intangible, oral communication, it is treated the same as a tangible transfer; and thus, the licensing requirements, if any, are the same as they would be for the physical shipment of that same technology to "country A."
. The Deemed Reexport Rule. Any release of technology or source code subject to the EAR to a foreign national of another country is a deemed reexport to the home country or countries of the foreign national. I am sure this sounds pretty strange to most of you, even those of you not hearing this for the first time and who may be familiar with this rule, so let me give you an example (and I will build upon the previous example to do so).
Let’s take that same national from "country A," but instead of coming to the U.S. to work at a large chip manufacturing company, he goes to "country B," also a country of concern, to work for a subsidiary of the same U.S. chip manufacturing company. And just like when he came to the U.S., it will be necessary for him to be privy, through oral communication, to U.S. controlled technology.
Now, as I have mentioned, this U.S. company has a very sophisticated export compliance program and therefore realizes its subsidiary may need to obtain a license for the "country A" national to work at their "country B" subsidiary. Why? Because release of the U.S. controlled technology will, like under the deemed export rule, be treated as if that release were being made to "country A." So why is this a deemed reexport?
This kind of an export is considered a deemed reexport because the technology was initially exported from the U.S. to "country B." So transfer of that technology to the "country A" national in "country B" is a reexport. In this case the reexport was to "country A" inasmuch as the individual in our example is a "country A" national.
So the deemed export rule and the deemed reexport rule are two examples of how the U.S. seeks to control intangible technology transfers.
Although the deemed export approach used in the U.S. is provided for in legislation (our Export Administration Act), we recognize that not all countries want to, or can, use export control legislation and/or their export administrative agencies (like the U.S. Bureau of Export Administration) to control the internal transfer or release of technology. Nonetheless, we do believe it is important to give some consideration to establishing effective alternatives that address the risks associated with the internal transfer of technology. Such transfers, gone unchecked, can have an impact on our shared concerns.
Our regulations define the export of encryption software as an actual shipment, transfer, or transmission out of the United States; or a transfer of such software in the United States to an embassy or affiliate of a foreign country. In addition, the export of encryption software includes the downloading of, or causing the downloading of such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside of the U.S. or making such software available for transfer outside of the U.S. Thus, the posting of encryption software on the Internet can constitute an export under our regulations.
The U.S. export policies on encryption software have probably been the most controversial and challenging of our export control policies. Our regulatory policy, however, just like encryption technology itself, continues to evolve and become more flexible with each passing day-- literally. I say this because further clarifications to our current encryption regulations will be forthcoming in early October, so stay tuned.
The U.S. recognizes there is an ever increasing global demand for information technology, and that it is important to make adjustments and updates to keep pace with all of the electronic wizardry, which now abounds. As such, the core of our current encryption export control policies now rests on three basic principles: a technical review of encryption products in advance of sale, a streamlined post-export reporting system that takes into account industry’s distribution models, and review of some exports to foreign government end-users. We believe these principles will meet important privacy, national security, and law enforcement needs, while also ensuring that the needs of the business community will be met. Having said that, I anticipate that the participants from the business community will say that we haven’t quite gotten there yet.
In closing, I want to briefly discuss the challenges of export regulation in an E-Commerce marketplace. Products evolve at a rapid pace and can be transferred around the globe within the click of a mouse. This has required regulators and businesses alike to swiftly adjust from a brick and mortar based export regulatory system, to a click and mortar based model.
In the U.S., and I suspect other countries as well, the brick and mortar model, was based on businesses knowing their customers, establishing an export compliance program, and ensuring employees were generally aware of export regulations. And in the brick and mortar model, transfers were made by tangible means, and generally from a company’s own warehouse. Little, if any, outsourcing occurred.
The click and mortar model, in contrast, involves selling to customers whom businesses may not know, and negotiating contracts with those customers over the web. Transfers in this model do not involve physical shipments; rather, shipments downloaded from the web. And in the new model, unlike the old model, outsourcing is commonplace.
So do the old formulas work in the new economy? How does a business really know its customer in the e-commerce marketplace? Do regulators need to draft new rules? Do businesses need to revise their compliance programs?
The answers to these questions are not clear. But what is clear is that it is more important than ever for government and business to work together to address these challenges and come up with solutions. And given the rapidity with changes take place in the click and mortar marketplace, government regulations and business compliance programs must be sufficiently flexible to keep pace in the e-commerce marketplace.
In April of 2002 the Bureau of Export Administration (BXA)
changed its name to the Bureau of Industry and Security(BIS). For historical
purposes we have not changed the references to BXA in the legacy documents
found in the Archived Press and Public Information.