One of the most frustrating ways in which the Luddites at DDTC have made life difficult for exporters in the 21st century is by taking the position that encrypted technical data is the same thing as unencrypted technical data for purposes of the ITAR. So if you put encrypted technical data on a cloud server outside the United States, you’d better get measured for an orange jumpsuit, because you’ve just exported technical data. Never mind, of course, that no one outside the United States can actually read or decrypt the data; you’ve still exported it.
Even the DoD, hardly a progressive force in these matters, thinks this position is nonsense. As we reported a while back, the DoD defended its decision to use Chinese satellites to transmit its own data on the grounds that all the data encrypted and thus meaningless to our friends in Beijing. Since DoD has guns, and DDTC does not, you won’t be surprised as to who would win any argument between DoD and State on the efficacy of encryption for these purposes.
So earlier this month, you might have been surprised to see this press release from Perspecsys:
Perspecsys, the leader in enterprise cloud data protection, announced today that it received a written ruling from the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) confirming that technical data secured using Perspecsys tokenization can be processed outside the U.S. through the cloud without obtaining an export license under the International Traffic in Arms Regulations (ITAR).
In its groundbreaking decision, DDTC reinterpreted the ITAR to authorize the use of Perspecsys tokenization to process ITAR technical data in the cloud without a license, even where the tokenized technical data may be transferred to servers located outside the United States. DDTC’s new interpretation shifts the regulatory landscape – opening the cloud to companies subject to the ITAR.
Tokenization is a process whereby a random token is issued to replace sensitive data such as a credit card number. Unlike encryption, there is no algorithm to decode the token back into the credit card number. Rather the token and the original data are maintained on a secure server which can be used to replace the token when necessary. Thus, if the press release were to be believed, if the translation server remained in the United States, the token for technical data could be transferred to a cloud outside the United States without need for an export license.
Of course, before you get too excited, I regret to inform you that this is not what the DDTC advisory opinion actually said. Instead, it said that section 125.4(b)(9) might exempt tokenized data if it was sent by by a U.S. employee overseas to another U.S. employee and no foreign person had access to the tokenized data. In other words, tokenized data would be treated exactly the same as its non-tokenized counterpart and was eligible only for export subject to exceptions that would be applicable to all technical data, whether encrypted, tokenized or in plain text.
DDTC was not amused by Perspecsys’s suggestion in its press release that the agency had finally entered the 21st century. So the agency “requested” that Perspecsys post a statement that amounts to a retraction of Perspecsys’s earlier press release. In that statement, DDTC clarified (a) that only transfers from a U.S. corporation to its own U.S. national employees was covered by the advisory opinion, (b) that steps must be taken to assure that no foreign persons had access to the data and (c) that the advisory opinion did not hold that tokenization constituted sufficient steps to prevent foreign access to the technical data.
All this makes me wonder: if you shred controlled technical data into a million tiny bits of paper do you have to make sure that the garbage collector is not a foreign person and that no foreign persons are allowed to visit the garbage dump?