In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called “tokenization” to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took “sufficient means” to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly available formal position from the State Department on the ITAR implications of cloud computing.
The State Department’s advisory opinion, released in redacted form by the requesting company, is narrow – focused on a specific license exemption at 22 C.F.R. 125.4(b)(9) that authorizes exports of technical data for use solely by U.S. persons employed by the U.S. government or a U.S. company. The opinion states that, subject to the conditions of the exemption, “tokenization may be used to process controlled technical data” in the cloud without a license, even if the “tokenized data” moves to servers located outside the United States. Tokenization is a technique in which a sensitive data element is substituted by a “token,” a non-sensitive data element that has no extrinsic or exploitable meaning or value. The “token” electronically maps back to the sensitive data element.
The opinion states that the company must take “sufficient means...to ensure the technical data may only be received and used by U.S. persons who are employees of the U.S. government or are directly employed by a U.S. corporation...throughout all phases of the transfer, including but not limited to transmission, storage, and receipt.” In essence, the advisory opinion appears to indicate that the company may transfer “tokenized data” to foreign servers in the cloud, provided the company ensures that such “tokenized data” transfers do not result in transfers of the actual technical data to ineligible recipients (e.g., foreign persons). However, the State Department published a subsequent clarification on its website in response to an initial press release issued by the requesting company that the State Department found misleading. The State Department’s clarification notice suggests that the company was interpreting the advisory opinion too broadly and emphasizes that the agency did not intend to imply that “tokenization” by itself was a “sufficient means” to achieve adequate levels of assurance that technical data would not be transferred to foreign persons.
The advisory opinion is significant for two reasons. First, it is the first publicly available opinion from the State Department on the ITAR implications of cloud computing. Second, although the opinion is quite narrow in scope, the State Department has taken the position that technical data may be stored or maintained on cloud-based servers outside the United States if the conditions of the applicable ITAR license exemption are satisfied and “sufficient means” are taken to prevent foreign persons from accessing such data. Based on the agency’s subsequent clarification notice, however, it remains to be seen (i) whether companies are obligated to preclude foreign persons’ access not only to “technical data” (as the original opinion states) but also to the corresponding “tokenized data” (as the subsequent clarification notice suggests), and (ii) what, if any, technologies or methods the agency would consider to be “sufficient means” for purposes of securing ITAR-controlled technical data in a cloud computing environment.
The company has posted a redacted version of the advisory opinionhere, and the State Department has posted its clarification of the opinion here. Given the agency’s public objection to the requesting company’s original interpretation of the advisory opinion, exporters that use cloud-based services will need to continue to be very cautious about the storage of ITAR data on cloud-based servers and should consider seeking guidance from the State Department on these issues.