In an advisory opinion dated November 13, 2014, the Bureau of Industry and Security (“BIS”) rode once again into the cloud computing breach to confront the tricky metaphysical question of when software that lives in the cloud is exported. At issue is this: when a foreign user accesses a U.S. server running a software application, say Adobe Photoshop, has the software for the application been exported to the foreign user? In such a scenario, the foreign user will be using the software in exactly the same fashion as if it had been download and installed on his local hard drive, with the only difference being a slight lag if his Internet connection is poor.
The BIS advisory opinion takes what might be called, in philosophical terms, a positivist approach to this question:
Instead of downloading the software and processing data locally the foreign user of a U.S. server sends its data to the cloud for processing, and causes its processed data to be transmitted back to it. Although there may be export of technology in this context, there is no export of software.
So the silver lining here, for cloud companies, is this literalist view of software exports. Software is exported when a physical disk with the software or an electrical impulse representing the code crosses a border. Just because someone uses the software remotely it has not been exported.
Now for the “Or Not” in the headline. Although BIS’s literalist approach to the download of software has a certain appeal, and is likely to be welcomed by cloud providers, there is something that the advisory opinion does not say. And this is where we can see the utter insanity of having export control scattered over competing agencies each trying to establish their own primacy in the export control domain. The advisory opinion says nothing about the rules of the Office of Foreign Assets Control (“OFAC”) which, in more than a few instances, might be implicated by the cloud scenario described above. Suppose the foreign user is in, say, Iran. Although the U.S. cloud provider might not be exporting software to Iran, at least the way BIS sees it, it certainly will be exporting a service to Iran in violation of OFAC rules.
Faithful readers of this blog will likely recognize this issue, but others reading the BIS opinion might conclude that, because there is no export of the software to Iran, it is completely legal to make the program available to Iranians from a U.S. based cloud. Until all export control is moved under the control of one agency, this kind of nonsensical trap will continue to snare innocent people and businesses for no good reason.