;

18-0109 Tuesday “Daily Bugle”

18-0109 Tuesday “Daily Bugle”

Tuesday, 9 January 2018

TOP
The Daily Bugle is a free daily newsletter from Full Circle Compliance, containing changes to export/import regulations (ATF, Customs, NISPOM, EAR, FACR/OFAC, FTR/AES, HTSUS, and ITAR), plus news and events.  Subscribe 
here for free subscription. Contact us
for advertising inquiries and rates
.

[No items of interest noted today.]

  1. Items Scheduled for Publication in Future Federal Register Editions
  2. Commerce/BIS: (No new postings.)
  3. DoD/DSS Announces e-FCL NISP PSI Data Collection
  4. State/DDTC: (No new postings.)
  5. EU Amends Sanctions Against North Korea
  6. Germany’s BAFA Publishes Export Control Newsletter
  1. ST&R Trade Report: “Civil Penalties Increased for Commerce Dept. Regulatory Violations”
  1. A. O’Keefe: “Why the EU’s Call to Remove Crypto-Tech from Dual-Use Export Controls is Encouraging”
  2. D. Salkeld: “Customs Update, January 2018: Important Updates to Ring in the New Year”
  3. G. Hinck: “Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research”
  4. M. Volkov: “Five Major Compliance Predictions for 2018”
  5. T. Murphy: “Border Searches of Personal Electronic Devices”
  1. Full Circle Compliance and the Netherlands Defense Academy Will Present “Winter School at the Castle”, 5-9 Feb 2018 in Breda, the Netherlands
  1. Bartlett’s Unfamiliar Quotations 
  2. Are Your Copies of Regulations Up to Date? Latest Amendments: ATF (15 Jan 2016), Customs (8 Dec 2017), DOD/NISPOM (18 May 2016), EAR (8 Jan 2018), FACR/OFAC (28 Dec 2017), FTR (20 Sep 2017), HTSUS (1 Jan 2018), ITAR (3 Jan 2018) 
  3. Weekly Highlights of the Daily Bugle Top Stories 

EXIMITEMS FROM TODAY’S FEDERAL REGISTER

EXIM_a1

 [No items of interest noted today.]

* * * * * * * * * * * * * * * * * * * *

OGSOTHER GOVERNMENT SOURCES

OGS_a11. Items Scheduled for Publication in Future Federal Register Editions
(Source: Federal Register

 
* Treasury/OFAC; NOTICES; Blocking or Unblocking of Persons and Properties [Publication Date: 10 Jan 2018.]

* * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * *

OGS_a33.

DoD/DSS Announces e-FCL NISP PSI Data Collection

(Source:
DoD/DSS, 9 Jan 2018.)
 
The Defense Security Service (DSS) data collection of National Industrial Security Program (NISP) Personnel Security Investigation (PSI) Projections will be opened and available on January 26, 2018 ending February 23, 2018, and can be accessed through the Electronic Facility Clearance (e-FCL) system. DSS is responsible for projecting Personnel Security Investigations requirements each year. Annual projections acquired from Industry through this collection are the key component in Department of Defense program planning and budgeting for NISP security clearances.
 
Note that submitting the PSI projections is independent of e-FCL package submissions; submitting information related to the facility clearance is not required as part of the PSI data collection. 
If you have any questions, contact the PSI team at 
dss.ncr.dss.mbx.psiprogram@mail.mil

* * * * * * * * * * * * * * * * * * * * 

* * * * * * * * * * * * * * * * * * * * 

OGS_a55.

EU Amends Sanctions Against North Korea

 
Regulations
* Council Implementing Regulation (EU) 2018/12 of 8 January 2018 implementing Regulation (EU) 2017/1509 concerning restrictive measures against the Democratic People’s Republic of Korea
 
Decisions
* Council Implementing Decision (CFSP) 2018/16 of 8 January 2018 implementing Decision (CFSP) 2016/849 concerning restrictive measures against the Democratic People’s Republic of Korea

* * * * * * * * * * * * * * * * * * * * 

OGS_a66.

Germany’s BAFA Publishes Export Control Newsletter

(Source:
German BAFA, 8 Jan 2018.)
 
The German Federal Office for Economic Affairs and Export Control (BAFA) has published the December 2017/January 2018 Issue of its Export Control Newsletter. 
 
European Union Law/Embargo Measures
 
Iraq
 
With the Commission Implementing Regulation (EU) 2017/2217 of 1 December 2017 (OJ L 318 of 2.12.2017, page 23) amending the Council Regulation (EC) No. 1210/2003 concerning certain specific restrictions on economic and financial relations with Iraq, one entity was removed from the list of persons or entities to whom the freezing of funds and economic resources applies, as set out in Annex III to Regulation (EC) No. 1210/2003.The amendment implements the decision adopted by the Sanctions Committee of the United Nations Security Council on 24 November 2017.
 
Libya
 
With the Commission Implementing Regulations (EU) 2017/1974 of 30 October 2017 (OJ L 281 of 31.10.2017, page 27), (EU) 2017/2006 of 8 November 2017 (OJ L 290 of 9.11.2017, page 17) and (EU) 2017/2260 of 5 December 2017 (OJ L 324 of 8.12.2017, page 39) amending the Regulation (EU) 2016/44 concerning restrictive measures in view of the situation in Libya, two entries were amended in the list of vessels that are subject to a number of prohibitions, in particular the prohibition to load, transport or discharge crude oil from Libya and to access ports in the European Union, as set out in Annex V to Regulation (EU) 2016/44.
 
Nord Korea
 
With the Council Regulation (EU) 2017/1858 of 16 October 2017 (OJ L 2651 of 16.10.2017, page 1) amending Regulation (EU) 2017/1509 concerning restrictive measures against the Democratic People’s Republic of Korea, the ban on EU investment in and with North Korea was further expanded to all sectors, the amount of personal remittances that could be sent to North Korea was lowered from 15.000 Euro to 5.000 Euro and the possibility of approving the import of crude oil was further restricted. With the Council Implementing Regulation (EU) 2017/1859 of 16 October 2017 (OJ L 2651 of 16.10.2017, page 5) implementing the Regulation (EU) 2017/1509 concerning restrictive measures against the Democratic People’s Republic of Korea, three persons and six entities were included in the list of persons and entities that are subject to restrictive measures contained in Annexes XV and XVI to Regulation (EU) 2017/1509. In accordance with the Council Implementing Regulation (EU) 2017/1897 of 18 October 2017 (OJ L 269 of 19.10.2017, page 1) implementing the Regulation (EU) 2017/1509 concerning restrictive measures against the Democratic People’s Republic of Korea, four vessels were added to the list of vessels subject to restrictive measures set out in Annex XIV to Regulation (EU) 2017/1509.The Council Regulation (EU) 2017/2062 of 13 November 2017 (OJ L 295 of 14.11.2017, page 4) amending the Regulation (EU) 2017/1509 concerning restrictive measures against the Democratic People’s Republic of Korea amended the list of luxury goods subject to an import and export ban as set out in Annex VIII to Regulation (EU) 2017/1509. Detailed value limits were defined to put the restrictions in concrete terms; evaluative terms like e.g. “high quality” were deleted.
 
Russia
 
The Council Regulation (EU) 2017/2212 of 30 November 2017 (OJ L 316 of 1.12.2017, page 15) implementing Regulation (EU) No. 833/2014 concerning restrictive measures in view of Russia’s actions destabilising the situation in Ukraine created the possibility to authorise the provision, directly or indirectly, of technical assistance, financing or financial assistance related to the sale, supply, transfer or export and the import, purchase or transport of hydrazine (CAS-No. 302-01-2) in concentrations of 70 per cent or more, which is included in a product covered by Part I of the Export List, provided that hydrazine is to be used for certain purposes in connection with the ExoMars-Mission 2020.
 
Sudan
 
The Council Implementing Regulation (EU) 2017/1942 of 25 October 2017 (OJ L 276 of 26.10.2017, page 1) implementing Article 15 (3) of Regulation (EU) No. 747/2014 concerning restrictive measures in view of the situation in Sudan updated the information relating to one person subject to restrictive measures in Annex I to Regulation (EU) No. 747/2014.
Ukraine – Measures in view of threats to the territorial integrity of Ukraine
 
In accordance with the Council Implementing Regulation (EU) 2017/2153 of 20 November 2017 (OJ L 304 of 21.11.2017, page 3) implementing the Regulation (EU) No. 269/2014 concerning restrictive measures in respect of actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine, one person was added to the list of natural and legal persons, entities and bodies subject to restrictive measures in Annex I to Regulation (EU) No. 269/2014.
 
Venezuela
 
On 13 November 2017, the European Union adopted the Decision (CFSP) 2017/2074 concerning restrictive measures in view of the situation in Venezuela (OJ L 295 of 14.11.2017, page 60) as a reaction on the crisis in Venezuela and, in particular on the numerous human rights violations and excessive use of force in Venezuela. This decision was implemented with the Council Regulation (EU) 2017/2063 of 13 November 2017 (OJ L 295 of 14.11.2017, page 21), given the legislative competence of EU, and is directly applicable in each Member State. This regulation provides i. a. for a ban on the export of arms and equipment which might be used for internal repression (Annex I to the regulation) as well as on the export of surveillance equipment (Annex II to the regulation) and the freezing of funds and economic resources of certain persons, entities and bodies responsible for serious human rights violations or abuses or repression of the civil society and democratic opposition whose actions, policies or activities otherwise undermine democracy or the rule of law in Venezuela as well as of persons, entities and bodies associated with them. The lists of names (Annexes IV and V to the regulation) are not filled yet.
 
Terrorism
 
In accordance with the Council Implementing Regulation (EU) 2017/2064 of 13 November 2017 (OJ L 295 of 14.11.2017, page 38) amending Article 2 (3) of Regulation (EC) No. 2580/2001 on specific restrictive measures directed against certain persons, entities and bodies with a view to combating terrorism, one body was removed from the list of persons, entities and bodies to which the Regulation (EC) No. 2580/2001 applies.
 
Inside BAFA
 
Update of Annexes to the EC Dual-Use Regulation
 
With the Delegated Regulation (EU) No. 2017/2268 of 26 September 2017 the EU Commission revised Annexes I, IIa to IIg (in relation to their controlled goods) and IV to Council Regulation (EC) No. 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items. This delegated regulation entered into force on 16 December 2017. Further information may be found at BAFA’s website.
 
New General License No. 30
 
On 11 December 2017, the General License No. 30 for non-sensitive transactions with Iran was announced in the Federal Gazette. It enables the conclusion of certain promissory purchasing contracts referring to goods listed in Annexes I, II, VIIA and VIIB to Regulation (EU) No. 267/2012 (Iran embargo regulation) as well as certain shipments of goods listed in Annexes I, II, VIIA and VIIB to the Iran embargo regulation to certain Iranian persons within the meaning of this Regulation, together with related technical assistance. This General License is based on the recent interpretation of facts permitting authorizations under the Iran embargo regulation, especially an interpretation according to which a purchasing contract is independently subject to licensing. With regard to export control law, however, there is no basic need to monitor legal transactions prior to a potential export exclusively by means of individual approval procedures. This applies particularly to the conclusion of sales contracts and shipments within Germany or the remaining customs territory of the European Union, as long as the compliance with the objectives of the Iran embargo regulation is guaranteed. Please note that this General License does not cover exports to Iran or to Iranian persons outside EU. Exports of goods listed in Annexes I, II, VIIA and VIIB to Iran or Iranian persons outside EU still require export licenses issued by BAFA. Further information and the link to General License No. 30 may be found at BAFA’s website.
 
Amendment of General License No. 16
 
As described above, Annex I to Regulation (EC) No. 428/2009 was amended by the Delegated Regulation No. 2017/2268. These amendments also concern i. a. the structure of Part 2 of Category 5 of Annex I. The controlled goods are, in part, specified in other control items of Category 5 Part 2. The amendments are related to goods of items 5a002a1, 5D002a and 5D002d of the former Annex I, which are now controlled by items 5A002a, 5D002a1 and 5D002b of Annex I. The changed structure results in necessary amendments in Section II fig. 4.3 d), which is reflected in the Amendment Announcement on the General License No. 16. The range of permitted goods is not expanded as a result. These amendments do not entail an extension of validity of the General License No. 16. It is valid until 31 March 2018. A further extension of this General License is, however, envisaged. Further information and the link to the amendment of General License No. 16 are available at BAFA’s website.
 
Information Leaflets
 
The Information Leaflets “Export Control and BAFA” and “Development of the Iran Embargo” were revised.
 
12th Day of Export Control – Tentative program
 
The tentative program for the 12th Day of Export Control to be held on March, 22 to 23, 2018 on the topic “Challenges in foreign trade control” is available now.
 
For more information and registration, go here

* * * * * * * * * * * * * * * * * * * * 

NWSNEWS

NWS_a1
7. ST&R Trade Report: “Civil Penalties Increased for Commerce Dept. Regulatory Violations”

 
The Department of Commerce is increasing for inflation the civil monetary penalty amounts that may be assessed for the following regulatory violations after Jan. 15, including when the associated violation occurred before that date.
 
  – false or fraudulent claims under the Program Fraud Civil Remedies Act (31 USC 3802(a)(1) and (2)) – maximum increased from $10,957 to $11,181
  – knowing use of false record or statement material to an obligation to pay or transmit money or property to the federal government (31 USC 3729(a)(1)(G)) – minimum increased from $10,957 to $11,181, maximum increased from $21,916 to $22,363
  – Fastener Quality Act violations (15 USC 5408(b)(1)): maximum increased from $45,268 to $46,192
  – prohibited acts relating to inspections or recordkeeping violations under the Chemical Weapons Convention Implementation Act (22 USC 6761(a)(1)(A) and (B)) – maximum increased from $36,849 to $37,601
  – violations of the International Emergency Economic Powers Act (50 USC 1705(b)) – maximum increased from $289,238 to $295,141
  – failure to file export information or reports required by 13 USC 304 within prescribed period – maximum for each day’s delinquency increased from $1,333 to $1,360, maximum per violation increased from $13,333 to $13,605
  – other unlawful export information activities under 13 USC 305 – maximum increased from $13,333 to $13,605
  – failure to furnish any information required under 22 USC Chapter 46 (international investment and trade in services survey) – minimum increased from $4,527 to $4,619, maximum increased from $45,268 to $46,192
  – foreign-trade zone violations (19 USC 81s): maximum increased from $2,795 to $2,852

* * * * * * * * * * * * * * * * * * * * 

COMMCOMMENTARY

COMM_a01
8. A. O’Keefe: “Why the EU’s Call to Remove Crypto-Tech from Dual-Use Export Controls is Encouraging”

 
* Author: Amanda O’Keefe is a Senior Vice President and Assistant General Counsel in Citigroup’s Technology and Intellectual Property Group and Global Privacy Group.
 
As we enter 2018, Brexit and the final push for timely GDPR implementation will undoubtedly continue to be top agenda items for companies with interests in the EU. But the EU is already set to offer new challenges to keep us engaged throughout the year. Technology companies in particular should take note of proposed developments in EU export controls, set to proceed to a vote in the European Parliament plenary session in early 2018.
 
The EU dual-use recast, approved on November 23, 2017, by an overwhelming 34-1 vote of the European Parliament International Trade Committee, calls for updates to the 2009 Regulation (EC) No 428/2009 – the Dual-use Regulation. The regulation established a general framework for export controls on “dual-use items,” which are broadly defined as “items which can be used for both civil and military purposes,” and listed on a regularly updated annex which includes an array of items from uranium to certain types of sealants.
 
Though the dual-use items list is quite comprehensive, the regulation leaves administrative, substantive, and operational decisions largely to the member states, resulting in a lack of harmonization across the EU. The recast will address some harmonization issues, but will also bring additional items into the classification of dual-use items, including tools that can be used for cyber-surveillance. Companies wishing to sell covered cyber-surveillance items will be required to seek approval from national export control authorities before the items can be exported from an EU country to a non-EU country. Affected cyber-surveillance tools include items that “intercept mobile phones, remotely hack into computers, circumvent passwords, or identify internet users.”
 
Though the dual-use items list is quite comprehensive, the regulation leaves administrative, substantive, and operational decisions largely to the member states, resulting in a lack of harmonization across the EU.
 
In keeping with the EU’s Trade for All strategy, the driving force behind the recast is the EU’s commitment to fair and ethical trade and human rights. More specifically, the recast stems from a 2011 EU review of export controls on dual-use items, following human rights abuses that occurred during the Arab Spring. High profile abuses using cyber-surveillance items include the attack against Ahmed Mansoor, an activist calling for reform in the United Arab Emirates, using Israeli-sourced “Pegasus” spyware, and BAE’s sale through a Danish affiliate of “mass surveillance technology to six Middle Eastern governments that have been criticized for repressing their citizens.”
 
The BAE sale highlights the importance of harmonization. As reported by The Guardian’s Rob Evans, “if the UK had been asked to approve the export of this technology, it would have refused on the grounds that it could damage the security of the UK and its allies. … However, the Danish government approved the export, partly because its own intelligence service and foreign affairs advisers had not objected.”
 
Though the intent behind the proposed restrictions may be noble, a 2011 European Commission Green Paper acknowledges a key weakness in the strategy: Bad actors can find cyber-surveillance tools whether or not EU companies can export them. As the European Commission noted, “[t]he issue of foreign availability of controlled items is a key element of export control considerations as it significantly influences decisions on whether or not to control certain items. If there is broad foreign availability of particular goods, the reasons behind their control are greatly diminished, as the respective export control decisions can potentially negatively influence business performance, while not achieving any security goals.”
 
The recast is not limited to increasing restrictions on trade. In fact, German MEP Klaus Buchner introduced an amendment that would relax restrictions on technology products that use encryption. In Buchner’s view, “Cryptography technology does not belong in the scope of dual use export controls. It is the task of the Commission to introduce coordinated activity of Member States in the framework of the Wassenaar Arrangement to eliminate cryptography technology from the list of controlled items.”
 
Profit-seeking businesses are not the only parties interested in lifting trade restrictions on cryptography technology. Rights organizations, including Privacy International, have long argued that restrictions on encryption hinder cooperation and transparency in research and lead to vulnerabilities as companies reduce security features to avoid export restrictions.
 
The call to remove cryptography technology from the scope of dual-use export controls is an encouraging development for technology companies and rights organizations alike, but one that will require patience.
 
The call to remove cryptography technology from the scope of dual-use export controls is an encouraging development for technology companies and rights organizations alike, but one that will require patience. Buchner’s own comment defers to the framework of the Wassenaar Arrangement, one of four international export control regimes addressing suppliers of dual-use goods, and the amendment itself does not direct the removal of cryptography technology from export controls, but rather directs the European Commission to propose legislation to remove such items within the next “five to seven years.” 
 
Nonetheless, the measure has strong support across the political spectrum and is unlikely to be weakened as the MEPs proceed to negotiate agreement with the Commission and member state governments in the coming months. 

* * * * * * * * * * * * * * * * * * * * 

COMM_a2
9. D. Salkeld: “Customs Update, January 2018: Important Updates to Ring in the New Year”

(Source: Arent Fox, 8 Jan 2018.)
 
* Author: David Salkeld, Esq., david.salkeld@arentfox.com, Arent Fox LLP, Washington DC.
 
The beginning of a new year often brings new regulations or changes to programs. Customs programs are no exception. We have listed some key January 2018 changes for importers below.
 
Fee Increases
 
Pursuant to the US Customs and Border Protection (CBP) Final Rule (82 Fed Reg. 50523) and the General Notice (82 FRN 50659) published November 1, 2017, various changes to user fees within the Consolidated Omnibus Budget Reconciliation Act (COBRA) of 1985 took effect on January 1, 2018.
 
  – The Merchandise Processing Fee (MPF) ad valorem rate of 0.3464% will NOT change. The MPF minimum and maximum for formal entries (class code 499) will change. The minimum will change from $25 to $25.67 and the maximum will change from $485 to $497.99.
  – The Informal MPF (class code 311) will change to $2.05.
  – The dutiable mail fee (class code 496) will change to $5.65.
  – The surcharge for manual entry or release will change to $3.08.
GSP Expiration
 
The Generalized System of Preferences (GSP) expired on December 31, 2017. However, in years past, when GSP was reauthorized, Congress allowed for retroactive application of GSP treatment. Importers will need to make sure that any entries seeking preferential treatment continue to use a GSP special indicator (A, A+, or A*) to preserve eligibility for any retroactive application of GSP. Further guidance is provided on the CBP website.
 
Changes to 2018 Tariff Code
 
There are some updates to the 2018 Harmonized Tariff Schedule of the United States (HTSUS) effective on January 1, 2018. The new HTSUS includes the reinstatement of Argentina into the list of GSP-eligible countries and adds Gambia and Swaziland as African Growth and Opportunity Act (AGOA) beneficiaries. New statistical suffixes are also added for, among other products, organic lemons, gift wrap ribbons and bows, metal bed bases, diamond rotary rock bits, and parts for antennas. Most of the changes took effect January 1, 2018. For a full list of changes since the last edition of the HTSUS was published on January 1, 2017, see the change record.
 
The 2018 HTSUS includes some changes to rules of origin under the US-Oman Free Trade Agreement that take retroactive effect starting Feb. 1, 2017. Tariff shift rules are amended for several apparel subheadings in chapters 61, 62, and 63. Subheading 6202.93.55 for “other” anoraks of manmade fibers is amended so it now lists 15 free trade agreements that confer duty-free treatment. Subheading 6211.43.10 for certain “other” garments of man-made fibers is amended so it now lists 15 free trade agreements that confer duty-free treatment.
 
Changes to International Trademark Categories
 
The US Patent and Trademark Office (USPTO) revised Section 6.1 in part 6 of title 37 of the Code of Federal Regulations to incorporate classification changes and modifications that became effective January 1, 2018, as listed in the International Classification of Goods and Services for the Purposes of the Registration of Marks (11th ed., 2018) (Nice Classification), published by WIPO. Specifically, this rule adds new, or deletes existing, goods and services from 10 class headings. The changes to the class headings further define the types of goods and/or services appropriate to the class.

* * * * * * * * * * * * * * * * * * * * 

COMM_a3
10. G. Hinck: “Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research”

(Source:
Lawfare Blog
, 5 Jan 2018.)
 
* Author: Garrett Hinck is a research intern at the Brookings Institution, Washington DC.
 
The United States successfully negotiated research-use exceptions to export controls on surveillance tools at the December 2017 meeting of the Wassenaar Arrangement, a club of advanced economies that coordinates export controls. These export controls-requirements that organizations selling or sending technologies with potential military applications abroad obtain a license from the Commerce Department-affect key swaths of the cybersecurity industry. Although countries implement export controls at the national level, the United States and 40 other countries have agreed to coordinate their controlled items at the Wassenaar Arrangement, an international framework for creating a voluntary export control regime. At this year’s meeting, the U.S. aimed to correct what the cybersecurity industry portrays as overly-broad controls on intrusive surveillance software-controls that security experts say “criminalized” essential tools for stopping malware. After years of debate over the proper scope of export controls on surveillance products, the U.S. has finally made a beachhead on getting long-sought-after exemptions for security research and information sharing. In this post, I describe the original Wassenaar export controls, summarize the 2017 revisions, and forecast what we should expect to see next.
 
Background
 
The Arab Spring revealed how repressive regimes use Western commercially developed software surveillance tools to spy on dissidents and human rights activists. Human rights organizations sued a French company for giving to the Libyan government equipment that activists say enabled torture of dissidents. Privacy International and other civil-society groups pressured the British government to use existing legal mechanisms restrict repressive regimes’ access to network intrusion software that employed enabled governments to intercept email, instant messaging and webcam data. (Citizen Lab’s research explores this topic extensively.) In 2013, the British and French governments negotiated the addition of two types of dual-use technology-“intrusion software” and “IP network communications surveillance systems”-to the lists of dual-use technologies that the Wassenaar Arrangement governs
 
The Wassenaar Arrangement is an export control framework-not an international regulatory agency or treaty organization, but rather, a group of countries that meet regularly and agree to control certain technologies. An export control is a requirement that a company wishing to sell a product abroad get a government license to export the item; it is not a ban on that item’s export. Wassenaar has no way to make its controls legally binding on its members, who regulate controlled items through their domestic export control regimes. The arrangement’s 41 members include the U.S., near-all the European Union (Cyprus is the lone outlier), Russia, Turkey, Argentina and South Africa. Its goal is to prevent “destabilising accumulations” of conventional arms and dual-use goods and technologies-items with both civilian and military applications.
 
The Intrusion Software Controls
 
The “intrusion software” control took on the difficult task of regulating surveillance software based on computer code functionality. Wassenaar defined intrusion software as “software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures” and that either extracted data from a computer or network device or modified the “standard execution path” of a program to allow “the execution of externally provided instructions.”
 
But rather than control intrusion software itself, the arrangement put export controls on software, systems or equipment that interacted with intrusion software. The provision would cover the software toolkits that companies sell to law enforcement and intelligence agencies to carry out intrusive surveillance-see for example Hacking Team’s notorious RCS package. It also controlled any type of technology involved in the development of intrusion software. “Technology” in the control’s context meant essentially any program, code or software tool that was connected to intrusion software. In one interpretation of the WA’s controls, “intrusion software” meant code that took advantage of an exploit. By controlling software that used software vulnerabilities to carry out surveillance, the WA control targeted a limited subset of items that related to software exploits.
 
When the United States tried to implement the intrusion software controls, Symantec, FireEye, independent security researchers and the EFF raised serious concerns about their effect on security software and research. First, the Commerce Department’s implementation through the Commerce Department’s Bureau of Industry and Security (BIS) expanded its scope to cover a broad range of cybersecurity items. Mailyn Fidler detailed for Lawfare how the controls ratcheted up efforts to control trade in software that used zero-day vulnerabilities. BIS said the controls would require export licenses for commercially available penetration testing products and that potentially any exploit sent abroad or even to a national of a foreign country would require a license. BIS published an extensive FAQ that attempted to clarify how the controls affected security research involving exploits. The EFF criticized the FAQ for creating more confusion than clarity on the controls’ scope. In addition, the Commerce Department revoked exemptions for commercially available software products that would have applied to many of the newly controlled security products. It also failed to provide license exceptions for security research. The security industry identified all of these actions as harmful to business and research activities.
 
But the cybersecurity industry also had problems with the substance of the Wassenaar language itself. Symantec, FireEye and other security software vendors said the intrusion software definition was too broad and it encompassed legitimate products like endpoint security systems and other tools that “hook” into a system to modify its code. They said further that the controls would also make it much more difficult for security research and vulnerability information sharing. The control on “technology for the development” of intrusion software would have covered many essential tools for the security research community such as exploit proofs-of-concept and automated vulnerability generators.
 
In response to a deluge of comments opposing the rule, the Commerce Department withdrew the proposal. After escalating criticism and a dressing down from the House oversight committee, the Commerce Department convened with its interagency partners to revise the U.S. approach. In March 2016, Commerce Secretary Penny Pritzker said in a letter that the United States would attempt to remove the intrusion software controls at that year’s Wassenaar meetings. In December 2016, the U.S. negotiating team (with added technical experts from the cybersecurity community) failed to convince the other 40 Wassenaar members to agree on narrower language. Bipartisan groups of lawmakers in the House and Senate urged the Trump administration to continue the push to alter the Wassenaar language at the 2017 meeting.
 
2017 Revisions to the Wassenaar Controls
 
At the December 2017 Wassenaar meeting, the members agreed on a set of changes to the intrusion software controls. It received limited media coverage. The revised control list included several additions and alterations that Katie Moussouris, a security professional and technical adviser to the U.S. Wassenaar delegation, hailed as fixes for the problems the cyber industry had complained about. The changes are:
 
  – Replacing language that controlled software

specially designed

to operate or communicate with intrusion software with the terms

software specially designed for command and control

of intrusion software.
  – Adding an exception for software that carries out updates authorized by the the owner or operator of the system.
  – Adding exemptions for controls on technology either involved in the development of intrusion software or the development of software that operates, controls or delivers intrusion software. These exemptions said the controls do not apply for vulnerability disclosure or cyber incident response activities. The list defines vulnerability disclosure and cyber incident response as processes for sharing information about vulnerabilities and cyber incidents but does not explain how these exemptions apply to specific categories of items.
  – Adding a clarifying note saying that the above-described exemptions

do not diminish national authorities

rights to ascertain compliance” with existing controls.
 
The alterations appear to address the some of the concerns associated with the Wassenaar language, notably the concerns from the security research community about vulnerability information sharing. But it is not yet clear how the new language mitigates concerns about the broad definition of intrusion software that may encompass legitimate security tools not used for “vulnerability disclosure” or “cyber incident response.” Rob Joyce, White House cybersecurity coordinator, has praised the changes, as has Rep. Jim Langevin, a leading congressional voice on this issue.
 
What Comes Next?
 
The path forward is not clear. The Commerce Department could use the new language to craft a new proposed rule, to be followed by yet another public comment period. It would have to decide whether to add more exceptions and how to define how the new exemptions apply. Alternatively, Commerce could delay implementing the revised list and wait for the next meeting’s negotiations. In that scenario, Commerce could push for the U.S. delegation to demand more substantial changes to Wassenaar’s definition of intrusion software. But the human rights and internet freedom communities united with industry to oppose the 2015 proposed rule, and it is not clear whether the new changes will satisfy their concerns.
 
The Wassenaar changes could cause confusion for other countries as well. The EU has had intrusion software on its export control list since 2015. But as revelations that European companies sold surveillance toolkits to Middle Eastern dictators continued, the EU has sought to revamp its dual-use export control legislation in the interest of human rights. Separately, Israel (which is not a Wassenaar member but has a domestic law that adopts all Wassenaar controls automatically) attempted to more rigorously define intrusion software in early 2016. Doron Hindin detailed this effort for Lawfare. But a few months later, Israel shifted its policy on export controls, substantially reducing the scope and strength of the license requirements. It is unclear how the newest Wassenaar shift will play into both the EU export control reform initiative and the liberalized Israeli approach.
 
The Trump administration has until March to submit any proposals for changes to the Wassenaar control list to be negotiated this year. For now, the security community will be waiting for the administration’s next move. This debate, which has shown the difficulty of defining the appropriate regulations for hacking tools, is far from over.

* * * * * * * * * * * * * * * * * * * * 

COMM_a4
11. M. Volkov: “Five Major Compliance Predictions for 2018”

(Source: Volkov Law Group Blog, 8 Jan 2018. Reprinted by permission.)
 
* Author: Michael Volkov, Esq., Volkov Law Group, mvolkov@volkovlaw.com, 240-505-1992.
 
When you look back on the rise of the ethics and compliance profession, you cannot ignore the history of accomplishments.  It is easy to minimize these accomplishments as a reaction to the government’s aggressive FCPA enforcement program.
 
Companies are starting to embrace ethics and compliance as a positive force to build sustainable financial growth – which is the true calling of a robust ethics and compliance program.  I could easily build a positive posting on this trend and call it a day.  But that is not the real story, and my predictions will outline some significant concerns in this new world of ethics and compliance.
 
So, here are my five significant predictions:
 
Ethical Culture is the Key
:  Forward-thinking companies recognize that an ethical culture is the best control that a company can implement.  The problem is that the number of forward-thinking companies continues to be relatively small in comparison to the number of companies that ignore this obvious truism – ethical companies make more money and better perform than non-ethical companies.
 
Luckily, the compliance profession is beating the drum to focus companies on ethical culture.  Chief compliance officers know that pushing ethics is an important means to promote an overall ethics and compliance program.  CCOs are quickly embracing the need for focusing resources and time on a company’s culture.
 
Watch Out Corporate Boards
:  In this era of growing activism challenging corporate boards and senior executives, corporate boards will face increasing challenges to their corporate governance performance, and specifically, their oversight and monitoring of corporate ethics and compliance programs.  As the compliance profession matures, it is inevitable that corporate activists will use ethics and compliance deficiencies as one of several weapons against entrenched corporate boards.
 
Company boards set the tone of a company and its ethical culture.  If a board ignores the issue, the company inevitable suffers; when the board engages on the issue, the CEO, senior executives and the company benefit.  Corporate boards have been shirking their duties in this area, relying on outdated and defensive corporate governance models, all designed to escape so-called litigation risks.
 
Ethics and Compliance Resources
:  I have written frequently about corporate failures to adequately fund and staff ethics and compliance programs.  It is one thing to make a paper commitment to ethics and compliance, and it is quite another to allocate the resources needed to operate an effective ethics and compliance program.  Too often, I learn about ethics and compliance programs that are short-staffed, under-resourced, and relying on outmoded technology or even paper systems.  To put it mildly, this is unacceptable and an obvious shortcoming across the ethics and compliance industry.
 
Testing and Auditing Compliance Programs
: Companies that have invested in their ethics and compliance programs are increasing their efforts to test, assess and audit their compliance programs. It is an important step in the evolution of a corporate compliance program – corporate leaders and the CCO need to learn how the company’s ethics and compliance program are performing.  A company cannot develop an effective program that continuously improves unless it implements a sophisticated testing protocol.
 
Auditing Third-Party Agents and Distributors
: The Justice Department and the SEC have pushed companies to include robust auditing provisions in their contracts with third party agents and distributors.  Many companies have implemented such contractual provisions in the normal course of business.  However, only a few companies have implemented risk-based auditing programs built on exercising their audit rights to review third-party agents and distributors.  As a consequence, companies need to reassess this area and are likely to increase the number of proactive high-risk audits. 

* * * * * * * * * * * * * * * * * * * * 

COMM_a5
12T. Murphy: “Border Searches of Personal Electronic Devices”

(Source: Author, 9 Jan 2018.)
 
* Author: Ted Murphy, Esq., Baker McKenzie, ted.murphy@bakermckenzie.com.
 
We wanted to highlight for you an interesting development regarding searches and seizures of personal electronic devices by U.S. Customs and Border Protection (CBP) at the border.
 
CBP recently announced that, in fiscal year 2017 (which ended September 30, 2017), it searched the personal electronic devices of 30,200 travelers (inbound and outbound), which is up over 60% from the prior year.  Devices include any communication, electronic, and digital devices, including computers, tablets, removable media, disks, drives, tapes, mobile phones, cameras, music and other media players.  These searches and seizures are stated to be conducted to identify and respond to terrorism threats, smuggling attempts, illegal immigration, etc. and have been the subject of multiple lawsuits.  CBP also updated its directive “Border Search of Electronic Devices” (CBP Directive No. 3340-049A).  
 
What You Should Know
 
CBP has broad authority to search individuals, and their belongings, entering or exiting the country.  There is no reasonable suspicion, probable cause, or warrant requirement.  Encrypted and passcode protected content may also be searched.  Travelers that refuse to assist CBP in accessing protected content may have their devices detained.
 
In addition to reviewing content stored on the device (a ‘basic search’), CBP may also conduct an ‘advanced search’ if there is reasonable suspicion of activity in violation of laws enforced or administered by CBP (e.g., customs, export control, immigration laws, etc.).  An advanced search is any search in which an Officer connects external equipment, through a wired or wireless connection, to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.
 
Not all device content is treated equally.  For example, CBP treats content stored on the device differently than content stored remotely (CBP may only access content stored on the device).  In addition, CBP must initiate specific procedures when a traveler contends that certain content is privileged or sensitive.
 
Considering the prominent role of electronic devices in today’s society, CBP’s updated Directive, and the Trump Administration’s focus on border security, device searches at the border will likely continue to increase.
 
Recommendations
 
If your company has executives or employees who travel frequently, we recommend preparing those individuals to respond appropriately if/when CBP Officers ask to search their devices (e.g., do employees have to provide their passcodes, if requested by CBP?).  For example, updating your company’s travel policies to address this issue and then publishing the updates internally could be a good start to preparing employees for this eventuality.  In addition, we recommend that all companies review their company’s data storage policies to ensure the company’s most sensitive data is stored remotely, rather than locally on devices (or that employees have only limited amounts of sensitive data stored locally).  While these are not traditional “customs compliance issues,” they are nevertheless important issues the in-house trade compliance team should be raising internally.

* * * * * * * * * * * * * * * * * * * * 

TEEX/IM TRAINING EVENTS & CONFERENCES

(Source: Editor)
 

  
* * * * * * * * * * * * * * * * * * * * 

ENEDITOR’S NOTES


* * * * * * * * * * * * * * * * * * * *

EN_a315
. Are Your Copies of Regulations Up to Date?
(Source: Editor)

The official versions of the following regulations are published annually in the U.S. Code of Federal Regulations (C.F.R.), but are updated as amended in the Federal Register.  The latest amendments to applicable regulations are listed below.
 
*
ATF ARMS IMPORT REGULATIONS
: 27 CFR Part 447-Importation of Arms, Ammunition, and Implements of War
  – Last Amendment: 15 Jan 2016: 81 FR 2657-2723: Machineguns, Destructive Devices and Certain Other Firearms; Background Checks for Responsible Persons of a Trust or Legal Entity With Respect To Making or Transferring a Firearm. 
 
*
CUSTOMS REGULATIONS
: 19 CFR, Ch. 1, Pts. 0-199
  – Last Amendment: 8 Dec 2017: 82 FR 57821-57825: Civil Monetary Penalty Adjustments for Inflation
 
DOD NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL (NISPOM): DoD 5220.22-M

  – Last Amendment: 18 May 2016: Change 2
: Implement an insider threat program; reporting requirements for Cleared Defense Contractors; alignment with Federal standards for classified information systems; incorporated and cancelled Supp. 1 to the NISPOM (Summary 
here
.)


EXPORT ADMINISTRATION REGULATIONS (EAR)
: 15 CFR Subtit. B, Ch. VII, Pts. 730-774

  – Last Amendment(s): 8 Jan 2018: 83 FR 709-711: Revisions, Clarifications, and Technical Corrections to the Export Administration Regulations; Correction; and 83 FR 706-709: Civil Monetary Penalty Adjustments for Inflation

  
*
FOREIGN ASSETS CONTROL REGULATIONS (OFAC FACR)
: 31 CFR, Parts 500-599, Embargoes, Sanctions, Executive Orders
  – Last Amendment: 28 Dec 2017: 
82 FR 61450-61451: Iraq Stabilization and Insurgency Sanctions Regulations

 
*
FOREIGN TRADE REGULATIONS (FTR)
: 15 CFR Part 30
  – Last Amendment:
20 Sep 2017:
 
82 FR 43842-43844
: Foreign Trade Regulations (FTR): Clarification on Filing Requirements; Correction
 
  – HTS codes that are not valid for AES are available
here.
  – The latest edition (1 Jan 2018) of Bartlett’s Annotated FTR (“BAFTR”), by James E. Bartlett III, is available for downloading in Word format. The BAFTR contains all FTR amendments, FTR Letters and Notices, a large Index, and footnotes containing case annotations, practice tips, Census/AES guidance, and to many errors contained in the official text. Subscribers receive revised copies every time the FTR is amended. The BAFTR is available by annual subscription from the Full Circle Compliance website.  BITAR subscribers are entitled to a 25% discount on subscriptions to the BAFTR.
 
*
HARMONIZED TARIFF SCHEDULE OF THE UNITED STATES (HTS, HTSA or HTSUSA)
, 1 Jan 2018: 19 USC 1202 Annex. (“HTS” and “HTSA” are often seen as abbreviations for the Harmonized Tariff Schedule of the United States Annotated, shortened versions of “HTSUSA”.)
  – Last Amendment: 1 Jan 2018: Updated HTS for 2018

  – HTS codes for AES are available here.
  – HTS codes that are not valid for AES are available here.

 
INTERNATIONAL TRAFFIC IN ARMS REGULATIONS (ITAR): 22 C.F.R. Ch. I, Subch. M, Pts. 120-130.
  – Last Amendment: 3 Jan 2018: 83 FR 234-237: Department of State 2018 Civil Monetary Penalties Inflationary Adjustment
  – The only available fully updated copy (latest edition: 3 Jan 2018) of the ITAR with all amendments is contained in Bartlett’s Annotated 

ITAR
(“BITAR”)
, by James E. Bartlett III. The BITAR contains all ITAR amendments to date, plus a large Index, over 800 footnotes containing amendment histories, case annotations, practice tips, DDTC guidance, and explanations of errors in the official ITAR text. Subscribers receive updated copies of the BITAR in Word by email, usually revised within 24 hours after every ITAR amendment.
 The BITAR is available by annual subscription from the Full Circle Compliance
 
website
. BAFTR subscribers receive a 25% discount on subscriptions to the BITAR, please
contact us
to receive your discount code.
 

* * * * * * * * * * * * * * * * * * * *

EN_a0316
Weekly Highlights of the Daily Bugle Top Stories

(Source: Editor) 

Review last week’s top Ex/Im stories in “Weekly Highlights of the Daily Bugle Top Stories” published 
here

* * * * * * * * * * * * * * * * * * * *

EPEDITORIAL POLICY

* The Ex/Im Daily Update is a publication of FCC Advisory B.V., compiled by: Editor, James E. Bartlett III; Assistant Editors, Alexander P. Bosch and Vincent J.A. Goossen; and Events & Jobs Editor, John Bartlett. The Ex/Im Daily Update is emailed every business day to approximately 8,000 readers of changes to defense and high-tech trade laws and regulations. We check the following sources daily: Federal Register, Congressional Record, Commerce/AES, Commerce/BIS, DHS/CBP, DOJ/ATF, DoD/DSS, DoD/DTSA, State/DDTC, Treasury/OFAC, White House, and similar websites of Australia, Canada, U.K., and other countries and international organizations.  Due to space limitations, we do not post Arms Sales notifications, Denied Party listings, or Customs AD/CVD items.

* RIGHTS & RESTRICTIONS: This email contains no proprietary, classified, or export-controlled information. All items are obtained from public sources or are published with permission of private contributors, and may be freely circulated without further permission. Any further use of contributors’ material, however, must comply with applicable copyright laws.

* CAVEAT: The contents of this newsletter cannot be relied upon as legal or expert advice.  Consult your own legal counsel or compliance specialists before taking actions based upon news items or opinions from this or other unofficial sources.  If any U.S. federal tax issue is discussed in this communication, it was not intended or written by the author or sender for tax or legal advice, and cannot be used for the purpose of avoiding penalties under the Internal Revenue Code or promoting, marketing, or recommending to another party any transaction or tax-related matter.

* SUBSCRIPTIONS: Subscriptions are free.  Subscribe by completing the request form on the Full Circle Compliance website.

* TO UNSUBSCRIBE: Use the Safe Unsubscribe link below.

Scroll to Top